CVE-2006-1863
published 2006-04-25CVE-2006-1863: Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\"…
PriorityP412low2.1CVSS 2.0
AVLACLAuNCPINAN
EXPLOIT
EPSS
1.02%
58.9th percentile
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| linux | linux_kernel | <= 2.6.17 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
vendor_ubuntu6.9MEDIUM
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2006-06-15·CVSS 6.9
CVE-2006-1856 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
An integer overflow was discovered in the do_replace() function. A
local user process with the CAP_NET_ADMIN capability could exploit
this to execute arbitrary commands with full root privileges.
However, none of Ubuntu's supported packages use this capability with
any non-root user, so this only affects you if you use some third
party software like the OpenVZ virtualization system. (CVE-2006-0038)
On EMT64 CPUs, the kernel did not properly handle uncanonical return
addresses. A local user could exploit this to trigger a kernel crash.
(CVE-2006-0744)
Al Viro discovered a local Denial of Service in the sysfs write buffer
handling. By writing a block with a length exactly equal to the
processor's page size to any w
BSD
FreeBSD-SA-06:16.smbfs: smbfs chroot escape
bsd_advisories·2006-05-31·CVSS 6.4
CVE-2006-1863 [MEDIUM] FreeBSD-SA-06:16.smbfs: smbfs chroot escape
FreeBSD-SA-06:16.smbfs Security Advisory
The FreeBSD Project
Topic: smbfs chroot escape
Category: core
Module: smbfs
Announced: 2006-05-31
Credits: Mark Moseley
Affects: All FreeBSD releases.
Corrected: 2006-05-31 22:31:21 UTC (RELENG_6, 6.1-STABLE)
2006-05-31 22:31:42 UTC (RELENG_6_1, 6.1-RELEASE-p1)
2006-05-31 22:32:04 UTC (RELENG_6_0, 6.0-RELEASE-p8)
2006-05-31 22:32:22 UTC (RELENG_5, 5.5-STABLE)
2006-05-31 22:32:49 UTC (RELENG_5_5, 5.5-RELEASE-p1)
2006-05-31 22:33:17 UTC (RELENG_5_4, 5.4-RELEASE-p15)
2006-05-31 22:33:41 UTC (RELENG_5_3, 5.3-RELEASE-p30)
2006-05-31 22:34:32 UTC (RELENG_4, 4.11-STABLE)
2006-05-31 22:34:53 UTC (RELENG_4_11, 4.11-RELEASE-p18)
2006-05-31 22:35:32 UTC (RELENG_4_10, 4.10-RELEASE-p24)
CVE Name: CVE-2006-2654
For general information regarding FreeBSD Securit
Red Hat
security flaw
vendor_redhat·2006-04-26·CVSS 2.1
CVE-2006-1864 [LOW] security flaw
security flaw
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
Red Hat
security flaw
vendor_redhat·2006-04-20·CVSS 2.1
CVE-2006-1863 [LOW] security flaw
security flaw
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
GHSA
GHSA-c42v-pv88-p8gf: Directory traversal vulnerability in CIFS in Linux 2
ghsa_unreviewed·2022-05-01·CVSS 4.6
CVE-2006-1863 [MEDIUM] GHSA-c42v-pv88-p8gf: Directory traversal vulnerability in CIFS in Linux 2
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
GHSA
GHSA-fmc8-hp9q-fhj5: Directory traversal vulnerability in smbfs in Linux 2
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2006-1864 [LOW] GHSA-fmc8-hp9q-fhj5: Directory traversal vulnerability in smbfs in Linux 2
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
No detection rules found.
Bugzilla
CVE-2006-1864 security flaw
bugzilla·2018-08-16·CVSS 2.1
CVE-2006-1864 [LOW] CVE-2006-1864 security flaw
CVE-2006-1864 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
Bugzilla
CVE-2006-1863 security flaw
bugzilla·2018-08-16·CVSS 2.1
CVE-2006-1863 [LOW] CVE-2006-1863 security flaw
CVE-2006-1863 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
Bugzilla
Various kernel security issues - July thru October 2006
bugzilla·2006-07-24·CVSS 4.9
[MEDIUM] Various kernel security issues - July thru October 2006
Various kernel security issues - July thru October 2006
This bug will track the various kernel issues up to July 2006.
Discussion:
*** Bug 188935 has been marked as a duplicate of this bug. ***
---
*** Bug 190082 has been marked as a duplicate of this bug. ***
---
*** Bug 190083 has been marked as a duplicate of this bug. ***
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here are updated kernel packages to QA for FC3:
* Sun Jul 16 2006 Marc Deslauriers
2.6.12-2.4.legacy_FC3
- - Added patches for:
CVE-2005-3359 (incorrect inrement/decrement in atm module)
CVE-2006-0555 (nfs: fix client panic using O_DIRECT)
CVE-2006-0741 (fix for ELF exec vulnerability on EM64T)
CVE-2006-0744 (fix for ELF exec vulnerability on EM64T)
CVE-2006-1525 (panic in ip_route_input() via inet_rtm_getro
Bugzilla
CVE-2006-1863 cifs chroot issue
bugzilla·2006-04-19·CVSS 2.1
CVE-2006-1863 [LOW] CVE-2006-1863 cifs chroot issue
CVE-2006-1863 cifs chroot issue
When doing a chroot inside of a smb-mounted filesystem (cifs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).
[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
Discussion:
The upstream fix can be found here:
http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=296034f7de8bdf111984ce1630ac598a9c94a253
---
committed in stream U5 build 42.10. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
---
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintena
http://rhn.redhat.com/errata/RHBA-2007-0304.htmlhttp://secunia.com/advisories/19868http://secunia.com/advisories/20398http://secunia.com/advisories/20914http://secunia.com/advisories/21614http://www.debian.org/security/2006/dsa-1103http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=296034f7de8bdf111984ce1630ac598a9c94a253http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.11http://www.mandriva.com/security/advisories?name=MDKSA-2006:150http://www.mandriva.com/security/advisories?name=MDKSA-2006:151http://www.novell.com/linux/security/advisories/2006-05-31.htmlhttp://www.osvdb.org/25068http://www.securityfocus.com/bid/17742http://www.trustix.org/errata/2006/0024http://www.vupen.com/english/advisories/2006/1542http://www.vupen.com/english/advisories/2006/2554https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434https://exchange.xforce.ibmcloud.com/vulnerabilities/26141https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10383http://rhn.redhat.com/errata/RHBA-2007-0304.htmlhttp://secunia.com/advisories/19868http://secunia.com/advisories/20398http://secunia.com/advisories/20914http://secunia.com/advisories/21614http://www.debian.org/security/2006/dsa-1103http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git%3Ba=commit%3Bh=296034f7de8bdf111984ce1630ac598a9c94a253http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.16.11http://www.mandriva.com/security/advisories?name=MDKSA-2006:150http://www.mandriva.com/security/advisories?name=MDKSA-2006:151http://www.novell.com/linux/security/advisories/2006-05-31.htmlhttp://www.osvdb.org/25068http://www.securityfocus.com/bid/17742http://www.trustix.org/errata/2006/0024http://www.vupen.com/english/advisories/2006/1542http://www.vupen.com/english/advisories/2006/2554https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189434https://exchange.xforce.ibmcloud.com/vulnerabilities/26141https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10383
2006-04-25
Published