Discussion:
OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
(too old to reply)
p***@sco.com
2005-05-11 18:17:13 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


______________________________________________________________________________

SCO Security Advisory

Subject: OpenServer 5.0.6 OpenServer 5.0.7 : chroot A known exploit can break a chroot prison.
Advisory number: SCOSA-2005.22
Issue date: May 11 2005
Cross reference: sr887583 fz528523 erg712505 CAN-2004-1124
______________________________________________________________________________


1. Problem Description

chroot() is a system call that is often used to provide an
additional layer of security when untrusted programs are
run. The call to chroot() is normally used to ensure that
code run after it can only access files at or below a given
directory.

Originally, chroot() was used to test systems software in
a safe environment. It is now generally used to lock users
into an area of the file system so that they can not look
at or affect the important parts of the system they are on.

Several programs use chroot jails to ensure that even if
you break into the process's address space, you can't do
anything harmful to the whole system. If chroot() can be
broken then this precaution is broken.

A known exploit can break a chroot prison.

The Common Vulnerabilities and Exposures project
(cve.mitre.org) has assigned the name CAN-2004-1124 to t
his issue.

A new variable chroot_security has been added to
/etc/conf/pack.d/kernel/space.c, which if set should
prevent escape from chroot prison. The default value for
chroot_security is '1' to disable it set it to '0'.

chroot() is a good way to increase the security of the
software provided that secure programming guidelines are
utilized and chroot() system call limitations are taken
into account. Chrooting will prevent an attacker from
reading files outside the chroot jail and will prevent
many local UNIX attacks (such as SUID abuse and /tmp
race conditions).

The number of ways that root user can break out of chroot
is huge. If there is no root user defined within the
chroot environment, no SUID binaries, no devices, and
the daemon itself dropped root privileges right after
calling chroot() call breaking out of chroot appears to
be impossible.

2. Vulnerable Supported Versions

System Binaries
----------------------------------------------------------------------
OpenServer 5.0.6 /var/etc/conf/pack.d/kernel/sys4.o
OpenServer 5.0.7 /var/etc/conf/pack.d/kernel/sys4.o

3. Solution

The proper solution is to install the latest packages.

4. OpenServer 5.0.6 / OpenServer 5.0.7

4.1 Location of Fixed Binaries

ftp://ftp.sco.com/pub/updates/OpenServer/SCOSA-2005.22

4.2 Verification

MD5 (VOL.000.000) = 2446d28490219ddc4bab7e85ccd57723

md5 is available for download from
ftp://ftp.sco.com/pub/security/tools

4.3 Installing Fixed Binaries

Upgrade the affected binaries with the following sequence:

1) Download the VOL* files to a directory

2) Run the custom command, specify an install from media
images, and specify the directory as the location of the
images.


5. References

Specific references for this advisory:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1124
http://www.packetfactory.net/projects/libexploit/
http://www.bpfh.net/simes/computing/chroot-break.html
http://www.linuxsecurity.com/content/view/117632/49/

SCO security resources:
http://www.sco.com/support/security/index.html

SCO security advisories via email
http://www.sco.com/support/forums/security.html

This security fix closes SCO incidents sr887583 fz528523
erg712505.


6. Disclaimer

SCO is not responsible for the misuse of any of the information
we provide on this website and/or through our security
advisories. Our advisories are a service to our customers
intended to promote secure installation and use of SCO
products.


7. Acknowledgments

SCO would like to thank Simon Roses Femerling

______________________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (SCO/SYSV)

iD8DBQFCgjAcaqoBO7ipriERAoY5AJ42/dWsKWiavEOzIpR3vJF1U056bgCfRxOs
2EejxusY98xH4roOEG63mMM=
=UIvo
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
James Longstreet
2005-05-11 18:20:52 UTC
Permalink
On Wed, 11 May 2005 ***@sco.com wrote:
<snip>

Has anyone ever wondered why SCO's mails come from
***@sco.com? Why not just make them come from
***@sco.com? Or at least set the Reply-To: field?

Other than preventing spam, is there a greater purpose here that I'm
missing?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
KF (lists)
2005-05-11 18:44:48 UTC
Permalink
Anyone ever wonder why all their security advisories come out for known
issues two years after they have been found?

Anyone ever wonder why they STILL use a vulnerble version of wu ftpd on
one of their main servers?

Connected to ftpput.sco.com.
220 artemis FTP server (Version 2.1WU(1)) ready.
Name (ftpput.sco.com:doucheknob):

Move along... nothing to see here but a decrepid OS that no one cares
about.
-KF
Post by James Longstreet
<snip>
Has anyone ever wondered why SCO's mails come from
Other than preventing spam, is there a greater purpose here that I'm
missing?
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Vincent van Scherpenseel
2005-05-11 20:57:16 UTC
Permalink
Post by KF (lists)
Anyone ever wonder why all their security advisories come out for known
issues two years after they have been found?
Anyone ever wonder why they STILL use a vulnerble version of wu ftpd on
one of their main servers?
Connected to ftpput.sco.com.
220 artemis FTP server (Version 2.1WU(1)) ready.
Move along... nothing to see here but a decrepid OS that no one cares
about.
-KF
Keep in mind that you shouldn't fully rely on service banners. These are
easily faked to keep the script kiddies away. I know, that's security through
obscurity, but not the whole world is Full Disclosure.

- Vincent van Scherpenseel
--
http://vincent.vanscherpenseel.nl/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
KF (lists)
2005-05-11 21:00:56 UTC
Permalink
Post by Vincent van Scherpenseel
Post by KF (lists)
Anyone ever wonder why all their security advisories come out for known
issues two years after they have been found?
Anyone ever wonder why they STILL use a vulnerble version of wu ftpd on
one of their main servers?
Connected to ftpput.sco.com.
220 artemis FTP server (Version 2.1WU(1)) ready.
Move along... nothing to see here but a decrepid OS that no one cares
about.
-KF
Keep in mind that you shouldn't fully rely on service banners. These are
easily faked to keep the script kiddies away. I know, that's security through
obscurity, but not the whole world is Full Disclosure.
- Vincent van Scherpenseel
keep in mind that this has been like this for *YEARS*. I highly doubt
they have gone through the trouble of faking output for the format
string vulnerability. Telnet to the port and test the site exec shit by
hand yourself... although I have not checked I would almost bet you get
memory addresses popping up.

I actually spoke to previous sco admins about it when I used to work
with them on security issues. At the time they could not track down the
admin of the box... after the caldera merger I would imagine it just sat
there.

http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/008577.html

-KF
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

s***@wylie.me.uk
2005-05-11 20:26:30 UTC
Permalink
Post by James Longstreet
Has anyone ever wondered why SCO's mails come from
Other than preventing spam, is there a greater purpose here that I'm
missing?
To keep their in-box clear of out-of-office replies from clueless lusers
who don't know how to configure a vacation program?

Google for <site:lists.grok.org.uk "out-of-office">

And just over a week ago:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033717.html

(He says, preparing to see how many idiot's mailers auto-reply to
this: To anyone that does - you are doubly incompetent, once for your
ineptness in running your e-mail software in the first place, and once
for telling a security mailing list that your are away from your
post).
--
Alan J. Wylie http://www.wylie.me.uk/
"Perfection [in design] is achieved not when there is nothing left to add,
but rather when there is nothing left to take away."
-- Antoine de Saint-Exupery
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...