lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <009d4110-259d-1659-9fc3-373b920e7657@halfdog.net>
Date: Sun, 10 Jan 2016 13:07:04 +0000
From: halfdog <me@...fdog.net>
To: fulldisclosure@...lists.org
Subject: [FD] Linux user namespaces overlayfs local root

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Preamble:

As the issue described herein was fixed 20161206 in Linux Kernel
already and publicly disclosed as security vulnerability 20151224,
here is a short writeup and POC exploit to understand the issue and
perform testing.

Description:

Linux user namespace allows to mount file systems as normal user,
including the overlayfs. As many of those features were not designed
with namespaces in mind, this increase the attack surface of the Linux
kernel interface. Due to missing security checks when changing mode of
files on overlayfs, a SUID binary can be created within user namespace
but executed from outside to gain root privileges.

Overlayfs was intended to allow create writeable filesystems when
running on readonly medias, e.g. on a live-CD. In such scenario, the
lower filesystem contains the read-only data from the medium, the
upper filesystem part is mixed with the lower part. This mixture is
then presented as an overlayfs at a given mount point. When writing to
this overlayfs, the write will only modify the data in upper, which
may reside on a tmpfs for that purpose.

One problematic use case is the modification of file or attributes of
files on the overlayfs within a user namespace. A user without any
capabilities on the host is given CAP_SYSADMIN within the user
namespace, thus having capabilities to change the attributes of files
on the overlayfs when not checking, if the host-system user would also
have the capability to change the attributes of the file without
having CAP_SYSADMIN there also. As this check was missing, the process
within namespace could gain read/write access to arbitrary files.
Combined with the SUID-write technique from a previous article
(SetgidDirectoryPrivilegeEscalation), modification of host-UID-0
SUID-binaries allows escalation to host root user.

Read more at
http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/

hd

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlaSV0wACgkQxFmThv7tq+4ZHACePbBusIsknx0vXdcT3Tk/KF/y
WkQAn2nC/kUeuQBTyZsAbWl7Qvxn1WDE
=BUKF
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ