Description
The jail rc.d script in FreeBSD 5.3 up to 6.2 does not verify pathnames when writing to /var/log/console.log during a jail start-up, or when file systems are mounted or unmounted, which allows local root users to overwrite arbitrary files, or mount/unmount files, outside of the jail via a symlink attack.
References (5)
Core 5
Core References
Exploit, Vendor Advisory vendor-advisory
x_refsource_freebsd
http://security.freebsd.org/advisories/FreeBSD-SA-07:01.jail.asc
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/22011
Third Party Advisory, VDB Entry vdb-entry
x_refsource_osvdb
http://osvdb.org/32726
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://securitytracker.com/id?1017505
Third Party Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/23730
Scores
EPSS
0.0005
EPSS Percentile
16.5%
Details
Status
published
Products (2)
freebsd/freebsd
5.3
freebsd/freebsd
< 6.2
Published
Jan 11, 2007
Tracked Since
Feb 18, 2026