FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

jailed processes can attach to other jails

Affected systems
5.1 <= FreeBSD < 5.1_14
5.2 <= FreeBSD < 5.2.1

Details

VuXML ID 9082a85a-88ae-11d8-90d1-0020ed76ef5a
Discovery 2004-02-19
Entry 2004-04-07
Modified 2004-05-05

A programming error has been found in the jail_attach(2) system call which affects the way that system call verifies the privilege level of the calling process. Instead of failing immediately if the calling process was already jailed, the jail_attach system call would fail only after changing the calling process's root directory.

A process with superuser privileges inside a jail could change its root directory to that of a different jail, and thus gain full read and write access to files and directories within the target jail.

References

CVE Name CVE-2004-0126
FreeBSD Advisory SA-04:03.jail