CVE-2006-1864
published 2006-04-26CVE-2006-1864: Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via…
PriorityP417medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
1.16%
63.2th percentile
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| freebsd | freebsd | — | — |
| linux | linux_kernel | <= 2.6.17 | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
| linux | linux_kernel | — | — |
CVSS provenance
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vendor_ubuntu6.9MEDIUM
vendor_redhat2.1LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel vulnerabilities
vendor_ubuntu·2006-06-15·CVSS 6.9
CVE-2006-1856 [MEDIUM] Linux kernel vulnerabilities
Title: Linux kernel vulnerabilities
Summary: Linux kernel vulnerabilities
An integer overflow was discovered in the do_replace() function. A
local user process with the CAP_NET_ADMIN capability could exploit
this to execute arbitrary commands with full root privileges.
However, none of Ubuntu's supported packages use this capability with
any non-root user, so this only affects you if you use some third
party software like the OpenVZ virtualization system. (CVE-2006-0038)
On EMT64 CPUs, the kernel did not properly handle uncanonical return
addresses. A local user could exploit this to trigger a kernel crash.
(CVE-2006-0744)
Al Viro discovered a local Denial of Service in the sysfs write buffer
handling. By writing a block with a length exactly equal to the
processor's page size to any w
BSD
FreeBSD-SA-06:16.smbfs: smbfs chroot escape
bsd_advisories·2006-05-31·CVSS 6.4
CVE-2006-1863 [MEDIUM] FreeBSD-SA-06:16.smbfs: smbfs chroot escape
FreeBSD-SA-06:16.smbfs Security Advisory
The FreeBSD Project
Topic: smbfs chroot escape
Category: core
Module: smbfs
Announced: 2006-05-31
Credits: Mark Moseley
Affects: All FreeBSD releases.
Corrected: 2006-05-31 22:31:21 UTC (RELENG_6, 6.1-STABLE)
2006-05-31 22:31:42 UTC (RELENG_6_1, 6.1-RELEASE-p1)
2006-05-31 22:32:04 UTC (RELENG_6_0, 6.0-RELEASE-p8)
2006-05-31 22:32:22 UTC (RELENG_5, 5.5-STABLE)
2006-05-31 22:32:49 UTC (RELENG_5_5, 5.5-RELEASE-p1)
2006-05-31 22:33:17 UTC (RELENG_5_4, 5.4-RELEASE-p15)
2006-05-31 22:33:41 UTC (RELENG_5_3, 5.3-RELEASE-p30)
2006-05-31 22:34:32 UTC (RELENG_4, 4.11-STABLE)
2006-05-31 22:34:53 UTC (RELENG_4_11, 4.11-RELEASE-p18)
2006-05-31 22:35:32 UTC (RELENG_4_10, 4.10-RELEASE-p24)
CVE Name: CVE-2006-2654
For general information regarding FreeBSD Securit
Red Hat
security flaw
vendor_redhat·2006-04-26·CVSS 2.1
CVE-2006-1864 [LOW] security flaw
security flaw
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
Red Hat
security flaw
vendor_redhat·2006-04-20·CVSS 2.1
CVE-2006-1863 [LOW] security flaw
security flaw
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
GHSA
GHSA-c42v-pv88-p8gf: Directory traversal vulnerability in CIFS in Linux 2
ghsa_unreviewed·2022-05-01·CVSS 4.6
CVE-2006-1863 [MEDIUM] GHSA-c42v-pv88-p8gf: Directory traversal vulnerability in CIFS in Linux 2
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
GHSA
GHSA-cj4c-9x4r-m99w: Directory traversal vulnerability in smbfs smbfs on FreeBSD 4
ghsa_unreviewed·2022-05-01·CVSS 4.6
CVE-2006-2654 [MEDIUM] GHSA-cj4c-9x4r-m99w: Directory traversal vulnerability in smbfs smbfs on FreeBSD 4
Directory traversal vulnerability in smbfs smbfs on FreeBSD 4.10 up to 6.1 allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences. NOTE: this is similar to CVE-2006-1864, but this is a different implementation of smbfs, so it has a different CVE identifier.
GHSA
GHSA-fmc8-hp9q-fhj5: Directory traversal vulnerability in smbfs in Linux 2
ghsa_unreviewed·2022-05-01·CVSS 2.1
CVE-2006-1864 [LOW] GHSA-fmc8-hp9q-fhj5: Directory traversal vulnerability in smbfs in Linux 2
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
No detection rules found.
Bugzilla
CVE-2006-1864 security flaw
bugzilla·2018-08-16·CVSS 2.1
CVE-2006-1864 [LOW] CVE-2006-1864 security flaw
CVE-2006-1864 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Directory traversal vulnerability in smbfs in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1863.
Bugzilla
CVE-2006-1863 security flaw
bugzilla·2018-08-16·CVSS 2.1
CVE-2006-1863 [LOW] CVE-2006-1863 security flaw
CVE-2006-1863 security flaw
Flaw bug created to hold information about an old flaw we knew something about. For more details see the MITRE CVE description.
Discussion:
MITRE description:
Directory traversal vulnerability in CIFS in Linux 2.6.16 and earlier allows local users to escape chroot restrictions for an SMB-mounted filesystem via "..\\" sequences, a similar vulnerability to CVE-2006-1864.
Bugzilla
Various kernel security issues - July thru October 2006
bugzilla·2006-07-24·CVSS 4.9
[MEDIUM] Various kernel security issues - July thru October 2006
Various kernel security issues - July thru October 2006
This bug will track the various kernel issues up to July 2006.
Discussion:
*** Bug 188935 has been marked as a duplicate of this bug. ***
---
*** Bug 190082 has been marked as a duplicate of this bug. ***
---
*** Bug 190083 has been marked as a duplicate of this bug. ***
---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Here are updated kernel packages to QA for FC3:
* Sun Jul 16 2006 Marc Deslauriers
2.6.12-2.4.legacy_FC3
- - Added patches for:
CVE-2005-3359 (incorrect inrement/decrement in atm module)
CVE-2006-0555 (nfs: fix client panic using O_DIRECT)
CVE-2006-0741 (fix for ELF exec vulnerability on EM64T)
CVE-2006-0744 (fix for ELF exec vulnerability on EM64T)
CVE-2006-1525 (panic in ip_route_input() via inet_rtm_getro
Bugzilla
CVE-2006-1864 smbfs chroot issue
bugzilla·2006-04-19·CVSS 4.6
CVE-2006-1864 [MEDIUM] CVE-2006-1864 smbfs chroot issue
CVE-2006-1864 smbfs chroot issue
When doing a chroot inside of a smb-mounted filesystem (smbfs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).
[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
Discussion:
Created attachment 128811
Proposed patch
---
A fix for this problem has just been committed to the RHEL3 U9
patch pool this evening (in kernel version 2.4.21-47.1.EL).
---
A fix for this problem has also been committed to the RHEL3 E9
patch pool this evening (in kernel version 2.4.21-47.0.1.EL).
---
An advisory has been issued which should help the problem
described in this bug report. This r
Bugzilla
CVE-2006-1864 smbfs chroot issue
bugzilla·2006-04-19·CVSS 2.6
CVE-2006-1864 [LOW] CVE-2006-1864 smbfs chroot issue
CVE-2006-1864 smbfs chroot issue
When doing a chroot inside of a smb-mounted filesystem (smbfs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).
[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
Discussion:
With e.61, I can reproduce the strange looking current working directory, but I
can't seem to break out of the jail. I'll see what happens with the new kernel.
//127.0.0.1/tmp 32897536 6115840 26781696 19% /mnt/cdrom
.qa.[root@ia64-21as-bos cdrom]# cp -a /bin /etc/ /lib /tmp
.qa.[root@ia64-21as-bos cdrom]# ll
total 49
drwxr-xr-x 1 root root 16384 Jun 4 02:36 bin
drwxr-xr-x 1 root root 16384 Jul 1
Bugzilla
CVE-2006-1864 smbfs chroot issue
bugzilla·2006-04-19·CVSS 4.6
CVE-2006-1864 [MEDIUM] CVE-2006-1864 smbfs chroot issue
CVE-2006-1864 smbfs chroot issue
When doing a chroot inside of a smb-mounted filesystem (smbfs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).
[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
Discussion:
Created attachment 128809
Proposed patch
---
committed in stream U4 build 36.1. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
committed in stream U4 build 36.1. A test kernel with this patch is available
from http://people.redhat.com/~jbaron/rhel4/
---
An advisory has been issued which should help the problem
described in this bug report. This report is
Bugzilla
CVE-2006-1864 smbfs chroot issue
bugzilla·2006-04-19·CVSS 4.6
CVE-2006-1864 [MEDIUM] CVE-2006-1864 smbfs chroot issue
CVE-2006-1864 smbfs chroot issue
When doing a chroot inside of a smb-mounted filesystem (cifs), it appears that
you can break out of it using "cd ..\\" (2 backslashes).
[root@server me]# pwd
/path/to/my/dir
[root@server me]# ls
bin chroot etc lib
[root@server me]# chroot .
bash-2.05a# pwd
/
bash-2.05a# ls
bin chroot etc lib
bash-2.05a# cd ..\\
bash-2.05a# pwd
/..\
bash-2.05a# ls
Discussion:
Fix verified:
.qa.[root@i386-21as-bos tmp]# ll
total 2568
drwxr-xr-x 2 root root 4096 Jul 12 11:50 backup
-rw-r--r-- 1 root root 768000 Jul 12 11:42 bak.file
drwxr-xr-x 2 root root 4096 Jun 4 01:38 bin
drwxr-xr-x 2 root root 4096 Jul 12 08:37 dumper
-rw-r--r-- 1 root root 1048576 Jul 12 09:50 dumpy.iso
drwxr-xr-x 72 root root 8192 Jul 12 11:58 etc
-rw-r--r-- 1 root root 768000 Jul 12 11:21 file.dum
http://secunia.com/advisories/19869http://secunia.com/advisories/20237http://secunia.com/advisories/20398http://secunia.com/advisories/20671http://secunia.com/advisories/20716http://secunia.com/advisories/20914http://secunia.com/advisories/21035http://secunia.com/advisories/21476http://secunia.com/advisories/21614http://secunia.com/advisories/21745http://secunia.com/advisories/22497http://secunia.com/advisories/22875http://secunia.com/advisories/23064http://support.avaya.com/elmodocs2/security/ASA-2006-161.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-254.htmhttp://www.debian.org/security/2006/dsa-1097http://www.debian.org/security/2006/dsa-1103http://www.mandriva.com/security/advisories?name=MDKSA-2006:150http://www.mandriva.com/security/advisories?name=MDKSA-2006:151http://www.novell.com/linux/security/advisories/2006-05-31.htmlhttp://www.osvdb.org/25067http://www.redhat.com/support/errata/RHSA-2006-0493.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0579.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0710.htmlhttp://www.securityfocus.com/archive/1/451404/100/0/threadedhttp://www.securityfocus.com/archive/1/451417/100/200/threadedhttp://www.securityfocus.com/archive/1/451419/100/200/threadedhttp://www.securityfocus.com/archive/1/451426/100/200/threadedhttp://www.securityfocus.com/bid/17735http://www.trustix.org/errata/2006/0026http://www.ubuntu.com/usn/usn-302-1http://www.vmware.com/download/esx/esx-202-200610-patch.htmlhttp://www.vmware.com/download/esx/esx-213-200610-patch.htmlhttp://www.vmware.com/download/esx/esx-254-200610-patch.htmlhttp://www.vupen.com/english/advisories/2006/2554http://www.vupen.com/english/advisories/2006/4502https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435https://exchange.xforce.ibmcloud.com/vulnerabilities/26137https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11327http://secunia.com/advisories/19869http://secunia.com/advisories/20237http://secunia.com/advisories/20398http://secunia.com/advisories/20671http://secunia.com/advisories/20716http://secunia.com/advisories/20914http://secunia.com/advisories/21035http://secunia.com/advisories/21476http://secunia.com/advisories/21614http://secunia.com/advisories/21745http://secunia.com/advisories/22497http://secunia.com/advisories/22875http://secunia.com/advisories/23064http://support.avaya.com/elmodocs2/security/ASA-2006-161.htmhttp://support.avaya.com/elmodocs2/security/ASA-2006-254.htmhttp://www.debian.org/security/2006/dsa-1097http://www.debian.org/security/2006/dsa-1103http://www.mandriva.com/security/advisories?name=MDKSA-2006:150http://www.mandriva.com/security/advisories?name=MDKSA-2006:151http://www.novell.com/linux/security/advisories/2006-05-31.htmlhttp://www.osvdb.org/25067http://www.redhat.com/support/errata/RHSA-2006-0493.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0579.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0580.htmlhttp://www.redhat.com/support/errata/RHSA-2006-0710.htmlhttp://www.securityfocus.com/archive/1/451404/100/0/threadedhttp://www.securityfocus.com/archive/1/451417/100/200/threadedhttp://www.securityfocus.com/archive/1/451419/100/200/threadedhttp://www.securityfocus.com/archive/1/451426/100/200/threadedhttp://www.securityfocus.com/bid/17735http://www.trustix.org/errata/2006/0026http://www.ubuntu.com/usn/usn-302-1http://www.vmware.com/download/esx/esx-202-200610-patch.htmlhttp://www.vmware.com/download/esx/esx-213-200610-patch.htmlhttp://www.vmware.com/download/esx/esx-254-200610-patch.htmlhttp://www.vupen.com/english/advisories/2006/2554http://www.vupen.com/english/advisories/2006/4502https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189435https://exchange.xforce.ibmcloud.com/vulnerabilities/26137https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11327
2006-04-26
Published