lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6b2922be-bb6f-4397-814e-16eafd20a834@halfdog.net>
Date: Tue, 23 Feb 2016 08:14:18 +0000
From: halfdog <me@...fdog.net>
To: fulldisclosure@...lists.org
Subject: [FD] Various Linux Kernel USERNS Issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Here are some issues recently discovered:

* Overlayfs over Fuse Privilege Escalation: On some systems, e.g.
Ubuntu Wily, it is possible to place an USERNS overlayfs mount over a
fuse (file system in userspace) mount. Inactive SUID binaries in the
user-controllable fuse filesystem may then be copied to other
filesystems in copy_up, thus allowing unprivileged users to create
arbitrary SUID binaries on the disk. Read more...

(CRD 20160222)

http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/


* User Namespaces Overlayfs Xattr Setgid Privilege Escalation:
Overlayfs allows to mix content of two filesystems, e.g. read-only
medium with r/w RAM-fs. This is also allowed within user namespaces.
As overlayfs does not initialize xattr ACLs when copying files,
malicious user may gain write access to SGID directories and further
gain full member access to that group. As member of group root or
staff escalation to user root might be simple.

(CRD 20160222)

http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/

* Access to all /dev/pts devices via pt_chown and user namespaces:
/usr/lib/pt_chown was used to change ownership of slave pts devices in
/dev/pts to the same uid holding the master file descriptor for the
slave. Another devpts instance mountend within user namespace allows
unprivileged user to fool pt_chown to operate on file descriptors from
inside namespace but change ownership of device with same number
outside the namespace.

(Issue too old, no clear fix on the way - see oss-security discussion.)

http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/

* Aufs Union Filesystem Privilege Escalation In User Namespaces: Aufs
is a union filesystem to mix content of different underlying
filesystems, e.g. read-only medium with r/w RAM-fs. That is also
allowed in user namespaces when module was loaded with allow_userns
option. Due to different bugs, aufs in a crafted USERNS allows
privilege escalation, which is a problem on systems enabling
unprivileged USERNS by default, e.g. Ubuntu Wily.

(This is fixed upstream, but not merged in to kernel mainline. As
issue not so critical and nearly identical to one below, better FD to
let user protect ...)

http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/

hd

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlbMFMgACgkQxFmThv7tq+699QCgk0+iF9HH++T16vf1PC3s5E1o
nCoAoIT6vULxdxA8nQaj3sCjwCFKLxmH
=ci4J
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ