Date: Tue, 12 Aug 2014 22:43:00 -0700 From: Andy Lutomirski <luto@...capital.net> To: oss-security@...ts.openwall.com Subject: Re: CVE Request: ro bind mount bypass using user namespaces On Tue, Aug 12, 2014 at 10:04 PM, Andy Lutomirski <luto@...capital.net> wrote: > On Tue, Aug 12, 2014 at 4:54 PM, Andy Lutomirski <luto@...capital.net> wrote: >> On 08/12/2014 02:48 PM, Kenton Varda wrote: >>> Due to a bug in the Linux kernel's implementation of remount, on systems >>> with unprivileged user namespaces enabled, it is possible for an >>> unprivileged user to gain write access to any visible read-only bind mount. >>> It is also possible to bypass flags like nodev, nosuid, and noexec. ... > > Yup. I have a fairly reliable exploit now. Will post the code in a > couple of weeks. To clarify: my exploit has nothing to do with sandboxing. It roots default-ish configurations of Fedora 20 and Ubuntu 14.04. --Andy
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ