Info

Disclosure

May 31, 2006

Discovery

Unknown

Dates

Exploit

May 31, 2006

Solution

Unknown

Description

FreeBSD contains a flaw that allows a remote attacker to escape a chroot environment when the chroot is implemented over a Server Message Block File System (SMBFS). The issue is due to the SMBFS not properly sanitizing user input, specifically directory traversal style attacks (..\). This flaw may lead to a loss of integrity.

Classification

Location: Local Access Required, Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Available
Disclosure: OSVDB Verified

Solution

Upgrade to version 4.11, 5.5 or 6.1 or higher, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions. It is also possible to correct the flaw by implementing the following workaround: mount the SMBFS so that the chroot directory is on a mount point and not a subdirectory of a mount point.

Products

FreeBSD Project	FreeBSD	4.3
		4.4
		4.5
		4.6
		4.6.2
		4.7
		4.8
		4.9
		4.10
		4.11
		5.0
		5.1
		5.2
		5.2.1
		5.3
		5.4
		5.5
		6.0
		6.1

References

Other Advisory URL: http://security.freebsd.org/advisories/FreeBSD-SA-06:16.smbfs.asc
Secunia Advisory ID: 20390
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0701.html
CVE ID: 2006-2654 (see also: NVD)
Vendor Specific Solution URL: http://security.FreeBSD.org/patches/SA-06:16/smbfs.patch
http://security.FreeBSD.org/patches/SA-06:16/smbfs.patch.asc
Vendor URL: http://www.freebsd.org

Credit

Mark Moseley -

Direct URL: http://osvdb.org/36218

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

FreeBSD Project

FreeBSD

References

Credit