FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

smbfs -- chroot escape

Affected systems
4.10 <= FreeBSD < 4.10_24
4.11 <= FreeBSD < 4.11_18
5.3 <= FreeBSD < 5.3_30
5.4 <= FreeBSD < 5.4_15
5.5 <= FreeBSD < 5.5_1
6.0 <= FreeBSD < 6.0_8
6.1 <= FreeBSD < 6.1_1

Details

VuXML ID cf3b9a96-f7bb-11da-9156-000e0c2e438a
Discovery 2006-05-31
Entry 2006-06-09

Problem Description

smbfs does not properly sanitize paths containing a backslash character; in particular the directory name '..\' is interpreted as the parent directory by the SMB/CIFS server, but smbfs handles it in the same manner as any other directory.

Impact

When inside a chroot environment which resides on a smbfs mounted file-system it is possible for an attacker to escape out of this chroot to any other directory on the smbfs mounted file-system.

Workaround

Mount the smbfs file-systems which need to be used with chroot on top, in a way so the chroot directory is exactly on the mount point and not a sub directory

References

CVE Name CVE-2006-2654
FreeBSD Advisory SA-06:16.smbfs