SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   OS (UNIX)  >   FreeBSD Kernel Vendors:   FreeBSD
FreeBSD jail() Lets Local Users Access Restricted Files
SecurityTracker Alert ID:  1024038
SecurityTracker URL:  http://securitytracker.com/id/1024038
CVE Reference:   CVE-2010-2022   (Links to External Site)
Date:  May 27 2010
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.0
Description:   A vulnerability was reported in the FreeBSD jail(8) function call. A local user can access certain restricted files on the target system.

The jail(8) utility does not change the current working directory while imprisoning a process. A local user within a jail can access the current working directory of the process that made the jail() call.

Aaron D. Gifford reported this vulnerability.

Impact:   A local user can obtain files that are ostensibly restricted by the jail() call.
Solution:   The vendor has issued a fix and provided the following solution instructions [quoted]:

Perform one of the following:

1) Upgrade your vulnerable system to 8-STABLE, or to the RELENG_8_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch
# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/jail
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 8.0-RELEASE on the i386 or amd64 platforms can be
updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

The vendor's advisory is available at:

http://security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc

Vendor URL:  security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc (Links to External Site)
Cause:   Access control error
Underlying OS:  

Message History:   None.


 Source Message Contents

Date:  Thu, 27 May 2010 03:25:04 GMT
Subject:  FreeBSD Security Advisory FreeBSD-SA-10:04.jail

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-10:04.jail                                       Security Advisory
                                                          The FreeBSD Project

Topic:          Insufficient environment sanitization in jail(8)

Category:       core
Module:         jail
Announced:      2010-05-27
Credits:        Aaron D. Gifford
Affects:        FreeBSD 8.0
Corrected:      2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE)
                2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3)
CVE Name:       CVE-2010-2022

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I.   Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges.  It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

By design, neither the chroot(2) nor the jail(2) system call modify
existing open file descriptors of the calling process, in order to
allow programmers to make fine grained access control and privilege
separation.

The jail(8) utility creates a new jail or modifies an existing jail,
optionally imprisoning the current process (and future descendants)
inside it.

II.  Problem Description

The jail(8) utility does not change the current working directory while
imprisoning.  The current working directory can be accessed by its
descendants.

III. Impact

Access to arbitrary files may be possible if an attacker managed to obtain
the descriptor of the current working directory before the jail call.
Such descriptor would be inherited by all descendants of the first process
that starts the jail, unless an intermediate process changes the current
working directory inside the jail.

By default, the FreeBSD /etc/rc.d/jail script, which can be enabled
using the jail_* rc.conf(5) variables, is not affected by this issue.
This is due to the default jail flags ("-l -U root") used to start a
jail as these flags will result in jail(8) performing a chdir(2) call.
If the rc.conf(5) variables jail_flags or jail_<jname>_flags has been
set, and do not include '-l -U root', the jails are affected by the
vulnerability.

IV.  Workaround

Include the "-l -U root" arguments to the jail(8) command when
starting the jail.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 8-STABLE, or to the RELENG_8_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 8.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch
# fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/jail
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 8.0-RELEASE on the i386 or amd64 platforms can be
updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_8
  src/usr.sbin/jail/jail.c                                       1.33.2.2
RELENG_8_0
  src/UPDATING                                              1.632.2.7.2.6
  src/sys/conf/newvers.sh                                    1.83.2.6.2.6
  src/usr.sbin/jail/jail.c                                   1.33.2.1.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/8/                                                         r208586
releng/8.0/                                                       r208586
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2022

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iEYEARECAAYFAkv95RAACgkQFdaIBMps37ImPgCfRS7pcslVSb89JluACMlg8ZBa
PmAAn0jq693qHOXK+Z2ljpQdc+EpTTja
=9o7h
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC