TW-CA-2004-046-[FreeBSD-SA-04:03.jail: Jai …

看板FreeBSD作者Goddamn.時間21年前 (2004/03/03 10:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

-----BEGIN PGP SIGNED MESSAGE----- TW-CA-2004-046-[FreeBSD-SA-04:03.jail: Jailed processes can attach to other jails] - -------------------------------------------------------------------------------- TWCERT發布日期：2004-03-02 原漏洞發布日期：2004-02-25 原漏洞最新更新日期：-- 通用安全漏洞編號：分類：Info Leak, 來源參考：FreeBSD-SA-04:03.jail - ------ 簡述 ------------------------------------------------------------------- 系統管理者使用jail(2)系統呼叫將程序及其子程序封鎖在封閉的環境裡以限制對主要系統的影響，即使是具有 superuser 權限的程序，是傳統 UNIX chroot(2)系統呼叫的延伸。 jail_attach(2)系統呼叫是在 5.1-RELEASE 之前引入 FreeBSD 5 中，讓未封鎖(non-jailed) 的程序能永久地轉移到現存的 jail 中。 - ------ 說明 ------------------------------------------------------------------- jail_attach(2) 系統呼叫程式設計上的錯誤在驗證呼叫程序權限時會造成影響。只有改變呼叫程序的根目錄後 jail_attach(2) 系統呼叫會發生錯誤，假如呼叫程序已經被 jail 則不受影響。 - ------ 影響平台 --------------------------------------------------------------- 受影響版本: FreeBSD 5.1-RELEASE FreeBSD 5.2-RELEASE 已修正版本: 2004-02-19 23:26:39 UTC (RELENG_5_2, 5.2.1-RC2) 2004-02-25 20:03:35 UTC (RELENG_5_1, 5.1-RELEASE-p14) CVE Name: CAN-2004-0126 FreeBSD only: YES - ------ 修正方式 --------------------------------------------------------------- 使用下列方式之一： 1)將受影響的系統更新至修正日期後的 RELENG_5.2.1-RELEASE 或 RELENG_5_2 或　RELENG_5_2 security branch。 2)修正現有系統：下列修正已驗證過適用於 FreeBSD 5.1 和 5.2 系統。 a)從下列位址下載相關修正檔，並使用 PGP 工具加以驗証。 # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch.asc b)使用修正檔修正原始碼。 # cd /usr/src # patch < /path/to/patch c)依照 http://www.freebsd.org/handbook/kernelconfig.html 的說明重新編譯 kernel 　並重新開機。 - ------ 影響結果 --------------------------------------------------------------- 在 jail 中具有 superuser 權限的程序能將本身的根目錄改變成其他 jail 的根目錄，以存取目標 jail 中的檔案和目錄。 ─----- 連絡 TWCERT/CC -------------------------------------------------------- Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: twcert@cert.org.tw URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm - ------------------------------------------------------------------------------- 附件：[Jailed processes can attach to other jails] - ------ 原文 ------------------------------------------------------------------- ============================================================================= FreeBSD-SA-04:03.jail Security Advisory The FreeBSD Project Topic: Jailed processes can attach to other jails Category: core Module: kernel Announced: 2004-02-25 Credits: JAS Group (http://www.cs.mu.oz.au/jas/) Affects: FreeBSD 5.1-RELEASE FreeBSD 5.2-RELEASE Corrected: 2004-02-19 23:26:39 UTC (RELENG_5_2, 5.2.1-RC2) 2004-02-25 20:03:35 UTC (RELENG_5_1, 5.1-RELEASE-p14) CVE Name: CAN-2004-0126 FreeBSD only: YES For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The jail(2) system call allows a system administrator to lock up a process and all its descendants inside a closed environment with very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more stringent than, the traditional Unix chroot(2) system call. The jail_attach(2) system call, which was introduced in FreeBSD 5 before 5.1-RELEASE, allows a non-jailed process to permanently move into an existing jail. II. Problem Description A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach(2) system call would fail only after changing the calling processs root directory. III. Impact A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail. IV. Workaround No workaround is available. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 5.2.1-RELEASE, or to the RELENG_5_2 or RELENG_5_1 security branch dated after the correction date. OR 2) Patch your present system: The following patch has been verified to apply to FreeBSD 5.1 and 5.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:03/jail.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - - ------------------------------------------------------------------------- RELENG_5_2 src/sys/kern/kern_jail.c 1.34.2.1 RELENG_5_1 src/UPDATING 1.251.2.16 src/sys/conf/newvers.sh 1.50.2.16 src/sys/kern/kern_jail.c 1.33.2.1 - - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQEVAwUBQERp+6cyQYefg2/NAQEWwwf9Hx3G/sKJB/X9uis7+1LBz5WZ+LB70Oho P2wpnwgri0uXUrw4I15kl6/dJ653ek5+EoZN7Lk+PIJ1FfGTVe56+Betqn2pChdE NFna3qga0iaLmXI99/GAxPJNZ2w8tZP1u364OaFJfF5u+NStcPBhOsoMAe4NjYDP aMRT2/FRO5Eaw8yJaEhv+QB9Cv0TwpJRSpS5aAIMyUYoNm0vEq/ZTyFoXuJ3i5fS /YxkN928YlJdBBgBxpSafkxeKwjBQpD/Jf4TZSyI8OpBxE3X/B3SwC0Jp0fK8TDT nMZDNppOlHLPY2BwjV2OQW281wK5dX3gY59Sq8RlNu2v8gbenA0+Hw== =tDat -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : Majordomo@cert.org.tw and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm -- 注音文，實際上叫做分散式阻斷中文攻擊（Distributed Denial of Chinese）　定義：攻擊者利用某種發音符號參雜在文句之中，使其閱讀困難，稱為阻斷中文攻擊（Denial of Chinese），簡稱 DoC。而使整篇文章充滿非中文的發音符號，則稱為分散式阻斷中文攻擊，簡稱 DDoC。範例：http://www.oz.nthu.edu.tw/~u910238/gallery/-_-.jpg