Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 Nov 2015 23:43:09 +0100
From: Richard Weinberger <richard@....at>
To: "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Cc: "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
 "kernel-hardening@...ts.openwall.com" <kernel-hardening@...ts.openwall.com>,
 "keescook@...omium.org" <keescook@...omium.org>,
 bridge@...ts.linux-foundation.org,
 Stephen Hemminger <stephen@...workplumber.org>
Subject: user controllable usermodehelper in br_stp_if.c

Hi!

By spawning new network and user namesapces an unprivileged user
is able to execute /sbin/bridge-stp within the initial mount namespace
with global root rights.
While this cannot directly be used to break out of a container or gain
global root rights it could be used by exploit writers as valuable building block.

e.g.
$ unshare -U -r -n /bin/sh
$ brctl addbr br0
$ brctl stp br0 on # this will execute /sbin/bridge-stp

As this mechanism clearly cannot work with containers and seems to be legacy code
I suggest not calling call_usermodehelper() at all if we're not in the initial user namespace.
What do you think?

Thanks,
//richard

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.