Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 12 Aug 2014 22:43:00 -0700
From: Andy Lutomirski <luto@...capital.net>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request: ro bind mount bypass using user namespaces

On Tue, Aug 12, 2014 at 10:04 PM, Andy Lutomirski <luto@...capital.net> wrote:
> On Tue, Aug 12, 2014 at 4:54 PM, Andy Lutomirski <luto@...capital.net> wrote:
>> On 08/12/2014 02:48 PM, Kenton Varda wrote:
>>> Due to a bug in the Linux kernel's implementation of remount, on systems
>>> with unprivileged user namespaces enabled, it is possible for an
>>> unprivileged user to gain write access to any visible read-only bind mount.
>>> It is also possible to bypass flags like nodev, nosuid, and noexec.

...

>
> Yup.  I have a fairly reliable exploit now.  Will post the code in a
> couple of weeks.

To clarify: my exploit has nothing to do with sandboxing.  It roots
default-ish configurations of Fedora 20 and Ubuntu 14.04.

--Andy

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ