FreeBSD contains a flaw that allows a remote attacker to escape a chroot environment when the chroot is implemented over a Server Message Block File System (SMBFS). The issue is due to the SMBFS not properly sanitizing user input, specifically directory traversal style attacks (..\). This flaw may lead to a loss of integrity.

Upgrade to version 4.11, 5.5 or 6.1 or higher, as it has been reported to fix this vulnerability. In addition, FreeBSD has released a patch for some older versions.

It is also possible to correct the flaw by implementing the following workaround: mount the SMBFS so that the chroot directory is on a mount point and not a subdirectory of a mount point.

• CVE ID: 2006-2654 (see also: NVD)
• Secunia Advisory ID: 20390
• SCIP VulDB ID: 2271
• Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-05/0701.html
• Other Advisory URL: http://security.freebsd.org/advisories/FreeBSD-SA-06:16.smbfs.asc
• Vendor Specific Solution URL: http://security.FreeBSD.org/patches/SA-06:16/smbfs.patch
  http://security.FreeBSD.org/patches/SA-06:16/smbfs.patch.asc
• Vendor URL: http://www.freebsd.org

• Mark Moseley -