SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD Kernel jail(2) Call Lets Local Users Gain Elevated Privileges in Certain Cases
SecurityTracker Alert ID:  1017505
SecurityTracker URL:  http://securitytracker.com/id/1017505
CVE Reference:   CVE-2007-0166   (Links to External Site)
Updated:  Aug 2 2007
Original Entry Date:  Jan 11 2007
Impact:   User access via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.3 - 6.2
Description:   A vulnerability was reported in FreeBSD Kernel in the jail(2) system call. A local user can obtain elevated privileges on the target system in certain cases.

The jail rc.d(8) script does not properly validate paths to check for symbolic links before using the path when writing output from the jail start-up to '/var/log/console.log' and when mounting and unmounting file systems within the jail directory structure.

A local root-level user within the jail can create a symbolic link from a file on the system (outside of the jail) to '/var/log/console.log' inside the jail to overwrite files on the target system located outside of the jail. This allows the user to execute arbitrary commands with non-jailed superuser privileges.

A local root-level user can also mount or unmount file systems intended to be mounted within the jail at arbitrary points outside of the jail.

This can be exploited when the jail rc.d(8) script is used to start and stop jails.

Dirk Engling reported this vulnerability.

Impact:   A local root-level user can access files located outside of the jail and execute arbitrary commands on the target system.
Solution:   FreeBSD has issued a fix and has provided the following solution instructions [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_1, RELENG_6_0, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.0,
and 6.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch.asc

[FreeBSD 6.0]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch.asc

[FreeBSD 6.1]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch.asc

NOTE: The patch distributed at the time of the original advisory was
incorrect for FreeBSD 5.5 (both RELENG_5 and RELENG_5_5). Systems to
which the original patch was applied should be patched with the
following corrective patch, which contains only the changes between
the original and updated patch:

# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d

The FreeBSD advisory is available at:

http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc

Vendor URL:  security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 11 Jan 2007 18:41:33 +0000 (GMT)
Subject:  FreeBSD Security Advisory FreeBSD-SA-07:01.jail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:01.jail                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Jail rc.d script privilege escalation

Category:       core
Module:         etc_rc.d
Announced:      2007-01-11
Credits:        Dirk Engling
Affects:        All FreeBSD releases since 5.3
Corrected:      2007-01-11 18:16:58 UTC (RELENG_6, 6.2-STABLE)
                2007-01-11 18:17:24 UTC (RELENG_6_2, 6.2-RELEASE)
                2007-01-11 18:18:08 UTC (RELENG_6_1, 6.1-RELEASE-p12)
                2007-01-11 18:18:35 UTC (RELENG_6_0, 6.0-RELEASE-p17)
                2007-01-11 18:18:57 UTC (RELENG_5, 5.5-STABLE)
                2007-01-11 18:19:33 UTC (RELENG_5_5, 5.5-RELEASE-p10)
CVE Name:       CVE-2007-0166

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.

II.  Problem Description

In multiple situations the host's jail rc.d(8) script does not check if
a path inside the jail file system structure is a symbolic link before
using the path.  In particular this is the case when writing the
output from the jail start-up to /var/log/console.log and when
mounting and unmounting file systems inside the jail directory
structure.

III. Impact

Due to the lack of handling of potential symbolic links the host's jail
rc.d(8) script is vulnerable to "symlink attacks".  By replacing
/var/log/console.log inside the jail with a symbolic link it is
possible for the superuser (root) inside the jail to overwrite files
on the host system outside the jail with arbitrary content.  This in
turn can be used to execute arbitrary commands with non-jailed
superuser privileges.

Similarly, by changing directory mount points inside the jail file
system structure into symbolic links, it may be possible for a jailed
attacker to mount file systems which were meant to be mounted inside
the jail at arbitrary points in the host file system structure, or to
unmount arbitrary file systems on the host system.

NOTE WELL: The above vulnerabilities occur only when a jail is being
started or stopped using the host's jail rc.d(8) script; once started
(and until stopped), running jails cannot exploit this.

IV.  Workaround

If the sysctl(8) variable security.jail.chflags_allowed is set to 0
(the default), setting the "sunlnk" system flag on /var, /var/log,
/var/log/console.log, and all file system mount points and their
parent directories inside the jail(s) will ensure that the console
log file and mount points are not replaced by symbolic links.  If
this is done while jails are running, the administrator must check
that an attacker has not replaced any directories with symlinks
after setting the "sunlnk" flag.

V.   Solution

NOTE WELL: The solution described changes the default location of the
"console.log" for jails from /var/log/console.log inside each jail to
/var/log/jail_${jail_name}_console.log on host system.  If this is a
problem, it may be possible to create a hard link from the new position
of the console log file to a location inside the jail.  A new rc.conf(5)
variable, jail_${jail_name}_consolelog, can be used to change the
location of console.log files on a per-jail basis.

In addition, the solution described below does not fully secure jail
configurations where two jails have overlapping directory trees and a
file system is mounted inside the overlap.  Overlapping directory
trees can occur when jails share the same root directory; when a jail
has a root directory which is a subdirectory of another jail's root
directory; or when a part of the file system space of one jail is
mounted inside the file system space of another jail, e.g., using
nullfs or unionfs.

To handle overlapping jails safely the administrator must set the
sysctl(8) variable security.jail.chflags_allowed to 0 (the default)
and manually set the "sunlnk" file/directory flag on all mount points
and all parent directories of mount points.  If this is done while
jails are running, the adminstrator must check that an attacker has
not replaced any directories with symlinks after setting the "sunlnk"
flag.

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_1, RELENG_6_0, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.0,
and 6.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch.asc

[FreeBSD 6.0]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch.asc

[FreeBSD 6.1]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_5
  src/etc/rc.d/jail                                              1.15.2.6
RELENG_5_5
  src/UPDATING                                            1.342.2.35.2.10
  src/sys/conf/newvers.sh                                  1.62.2.21.2.12
  src/etc/rc.d/jail                                          1.15.2.5.2.1
RELENG_6
  src/etc/rc.d/jail                                              1.23.2.9
RELENG_6_2
  src/UPDATING                                             1.416.2.29.2.2
  src/etc/rc.d/jail                                          1.23.2.7.2.1
RELENG_6_1
  src/UPDATING                                            1.416.2.22.2.14
  src/sys/conf/newvers.sh                                  1.69.2.11.2.14
  src/etc/rc.d/jail                                          1.23.2.3.2.3
RELENG_6_0
  src/UPDATING                                             1.416.2.3.2.22
  src/sys/conf/newvers.sh                                   1.69.2.8.2.18
  src/etc/rc.d/jail                                          1.23.2.2.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0166

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (FreeBSD)

iD8DBQFFpoQEFdaIBMps37IRAqtSAJoDNEO9woA7ZF1hbCuhbjFzhnXSfgCgjRH/
bapC5/eS7eAipiguG2DFdls=
=a8el
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC