Date: Tue, 12 Aug 2014 22:04:28 -0700 From: Andy Lutomirski <luto@...capital.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: ro bind mount bypass using user namespaces On Tue, Aug 12, 2014 at 4:54 PM, Andy Lutomirski <luto@...capital.net> wrote: > On 08/12/2014 02:48 PM, Kenton Varda wrote: >> Due to a bug in the Linux kernel's implementation of remount, on systems >> with unprivileged user namespaces enabled, it is possible for an >> unprivileged user to gain write access to any visible read-only bind mount. >> It is also possible to bypass flags like nodev, nosuid, and noexec. >> >> This problem affects sandboxing / containerization systems that do not >> expose the regular filesystem to the sandboxed process, but do expose a >> bind-mounted view of that filesystem using these flags to enforce security. >> This bug may enable a sandbox break-out. Sandboxes which have used >> seccomp-bpf to disable the "mount" system call or to disable user >> namespaces are likely safe. > > nosuid/nodev failures are probably exploitable for full root in many > common configurations. Yup. I have a fairly reliable exploit now. Will post the code in a couple of weeks. --Andy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ