Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 14 Mar 2013 09:03:20 +0800
From: Eugene Teo <eugeneteo@...nel.sg>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Cc: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit

On 14 Mar, 2013, at 8:59 AM, Eugene Teo <eugeneteo@...nel.sg> wrote:

> On 13 Mar, 2013, at 11:39 PM, Sebastian Krahmer <krahmer@...e.de> wrote:
> 
>> Hi,
>> 
>> Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden
>> combination.
>> During evaluating the new user namespace thingie, it turned out
>> that its trivially exploitable to get a (real) uid 0,
>> as demonstrated here:
>> 
>> http://stealth.openwall.net/xSports/clown-newuser.c
>> 
>> The trick is to setup a chroot in your CLONE_NEWUSER,
>> but also affecting the parent, which is running
>> in the init_user_ns, but with the chroot shared.
>> Then its trivial to get a rootshell from that.
>> 
>> Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).
>> 
>> I hope I didnt make anything wrong, mixing up the UIDs,
>> or disabled important checks during kernel build on my test
>> system. ;)
> 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=aea8b5d1e5c5482e7cdda849dc16d728f7080289

I realised that the link is incorrect. Will post again when I see the patches.

> 

Eugene

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ