lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 11 May 2005 11:17:13 -0700
From: please_reply_to_security@....com
To: security-announce@...t.sco.com, bugtraq@...urityfocus.com,
	full-disclosure@...ts.grok.org.uk
Subject: OpenServer 5.0.6 OpenServer 5.0.7 : chroot A
	known exploit can break a chroot prison.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

			SCO Security Advisory

Subject:		OpenServer 5.0.6  OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
Advisory number: 	SCOSA-2005.22
Issue date: 		May 11 2005
Cross reference:	sr887583 fz528523 erg712505 CAN-2004-1124
______________________________________________________________________________


1. Problem Description

	chroot() is a system call that is often used to provide an
	additional layer of security when untrusted programs are
	run. The call to chroot() is normally used to ensure that
	code run after it can only access files at or below a given
	directory. 

	Originally, chroot() was used to test systems software in 
	a safe environment. It is now generally used to lock users 
	into an area of the file system so that they can not look 
	at or affect the important parts of the system they are on. 
	
	Several programs use chroot jails to ensure that even if 
	you break into the process's address space, you can't do 
	anything harmful to the whole system. If chroot() can be 
	broken then this precaution is broken. 

	A known exploit can break a chroot prison.

	The Common Vulnerabilities and Exposures project 
	(cve.mitre.org) has assigned the name CAN-2004-1124 to t
	his issue.

	A new variable chroot_security has been added to 
	/etc/conf/pack.d/kernel/space.c, which if set should 
	prevent escape from chroot prison.  The default value for 
	chroot_security is '1' to disable it set it to '0'.

	chroot() is a good way to increase the security of the
	software provided that secure programming guidelines are 
	utilized and chroot() system call limitations are taken 
	into account.  Chrooting will prevent an attacker from 
	reading files outside the chroot jail and will prevent 
	many local UNIX attacks (such as SUID abuse and /tmp 
	race conditions).

	The number of ways that root user can break out of chroot 
	is huge.  If there is no root user defined within the 
	chroot environment, no SUID binaries, no devices, and 
	the daemon itself dropped root privileges right after 
	calling chroot() call breaking out of chroot appears to 
	be impossible.

2. Vulnerable Supported Versions

	System				Binaries
	----------------------------------------------------------------------
        OpenServer 5.0.6		/var/etc/conf/pack.d/kernel/sys4.o
        OpenServer 5.0.7		/var/etc/conf/pack.d/kernel/sys4.o

3. Solution

	The proper solution is to install the latest packages.

4. OpenServer 5.0.6 / OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.22

	4.2 Verification

	MD5 (VOL.000.000) = 2446d28490219ddc4bab7e85ccd57723  

	md5 is available for download from
		ftp://ftp.sco.com/pub/security/tools

	4.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

        2) Run the custom command, specify an install from media
        images, and specify the directory as the location of the
        images.


5. References

	Specific references for this advisory:
		http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124 
		http://www.packetfactory.net/projects/libexploit/ 
		http://www.bpfh.net/simes/computing/chroot-break.html
		http://www.linuxsecurity.com/content/view/117632/49/

	SCO security resources:
		http://www.sco.com/support/security/index.html

	SCO security advisories via email
		http://www.sco.com/support/forums/security.html

	This security fix closes SCO incidents sr887583 fz528523
	erg712505.


6. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO
	products.


7. Acknowledgments

	SCO would like to thank Simon Roses Femerling

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCgjAcaqoBO7ipriERAoY5AJ42/dWsKWiavEOzIpR3vJF1U056bgCfRxOs
2EejxusY98xH4roOEG63mMM=
=UIvo
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


Powered by blists - more mailing lists