Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 13 Mar 2013 18:33:00 -0700
From: Greg KH <gregkh@...uxfoundation.org>
To: oss-security@...ts.openwall.com
Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit

On Thu, Mar 14, 2013 at 09:03:20AM +0800, Eugene Teo wrote:
> On 14 Mar, 2013, at 8:59 AM, Eugene Teo <eugeneteo@...nel.sg> wrote:
> 
> > On 13 Mar, 2013, at 11:39 PM, Sebastian Krahmer <krahmer@...e.de> wrote:
> > 
> >> Hi,
> >> 
> >> Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden
> >> combination.
> >> During evaluating the new user namespace thingie, it turned out
> >> that its trivially exploitable to get a (real) uid 0,
> >> as demonstrated here:
> >> 
> >> http://stealth.openwall.net/xSports/clown-newuser.c
> >> 
> >> The trick is to setup a chroot in your CLONE_NEWUSER,
> >> but also affecting the parent, which is running
> >> in the init_user_ns, but with the chroot shared.
> >> Then its trivial to get a rootshell from that.
> >> 
> >> Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).
> >> 
> >> I hope I didnt make anything wrong, mixing up the UIDs,
> >> or disabled important checks during kernel build on my test
> >> system. ;)
> > 
> > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=aea8b5d1e5c5482e7cdda849dc16d728f7080289
> 
> I realised that the link is incorrect. Will post again when I see the patches.

It is commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71 in Linus's tree,
so replace the sha in the above link with this one instead.

Hope this helps,

greg k-h

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ