exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Jul 21, 2005
Site freebsd.org

FreeBSD Security Advisory FreeBSD-SA-05:17.devfs - Due to insufficient parameter checking of the node type during device creation, any user can expose hidden device nodes on devfs mounted file systems within their jail. Device nodes will be created in the jail with their normal default access permissions.

tags | advisory
systems | freebsd
advisories | CVE-2005-2218
SHA-256 | e1c7cadcfc9a5b70208783e95f2c0e0102c8c0c89d38162917beeb93216b369c


Change Mirror Download
Hash: SHA1

FreeBSD-SA-05:17.devfs Security Advisory
The FreeBSD Project

Topic: devfs ruleset bypass

Category: core
Module: devfs
Announced: 2005-07-20
Credits: Robert Watson
Affects: All FreeBSD 5.x releases
Corrected: 2005-07-20 13:35:44 UTC (RELENG_5, 5.4-STABLE)
2005-07-20 13:36:32 UTC (RELENG_5_4, 5.4-RELEASE-p5)
2005-07-20 13:37:27 UTC (RELENG_5_3, 5.3-RELEASE-p19)
CVE Name: CAN-2005-2218

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit

I. Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The device file system, or devfs(5), provides access to kernel's device
namespace in the global file system namespace. This includes access to
to system devices such as storage devices, kernel and system memory
devices, BPF devices, and serial port devices. Devfs is is generally
mounted as /dev. Devfs rulesets allow an administrator to hide
certain device nodes; this is most commonly applied to a devfs mounted
for use inside a jail, in order to make devices inaccessible to
processes within that jail.

II. Problem Description

Due to insufficient parameter checking of the node type during device
creation, any user can expose hidden device nodes on devfs mounted
file systems within their jail. Device nodes will be created in the
jail with their normal default access permissions.

III. Impact

Jailed processes can get access to restricted resources on the host
system. For jailed processes running with superuser privileges this
implies access to all devices on the system. This level of access
can lead to information leakage and privilege escalation.

IV. Workaround

Unmount device file systems mounted inside jails. Note that certain
device nodes, such as /dev/null, may be required for some software to
function correctly.

This can be done by executing the following command as root:

umount -A -t devfs

Also, remove or comment out any lines in fstab(5) that reference
`devfs' and has a mount point within a jail, so that they will not be
re-mounted at next reboot.

Some device file systems might be busy, including the host's main /dev
file system, and processes accessing these must be shut down before
the device file system can be unmounted. The hosts main device file
system, mounted as /dev, should not be unmounted since it is required
for normal system operation.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4,
or RELENG_5_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3, and
5.4 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:17/devfs.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
- -------------------------------------------------------------------------
src/UPDATING 1.342.
src/UPDATING 1.342.
- -------------------------------------------------------------------------

VII. References


The latest revision of this advisory is available at
Version: GnuPG v1.4.1 (FreeBSD)

Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By