Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 19 Jan 2016 20:10:50 +0000
From: halfdog <me@...fdog.net>
To: oss-security@...ts.openwall.com
Subject: Overlayfs and devpts issues in namespaces

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

<Seems that message did not get through, so resending>

Hi,

Solar Designer wrote:
> On Wed, Jan 13, 2016 at 10:26:18PM +0000, halfdog wrote:
>> About the title of the thread: The second topic mentionend in 
>> initial mail "Overlayfs and devpts issues in namespaces", was
>> the devpts issue. I combined those two in one thread, because one
>>  vulnerability makes discovery of second quite simple - that is 
>> why I discovered both nearly at same time. The later one is
>> still undisclosed. From the Ubuntu bug report notifications I
>> know, that they are at least trying to get rid of the
>> problematic pt_chown SUID binary, but there seem to be other
>> devpts issues they know about.
> 
> Since you brought the devpts issue in here on January 4, you must 
> post about it to oss-security no later than on January 18
> (Monday), or you may choose to do it today (Thursday).  (Friday and
> the weekend are worse.)

The writeup is ready since weeks, the first one is out already. The
user namespaces topic proved more problematic than initially thought:
two more local root privilege escalation variants were found,
overlayfs is vulnerable since enabled (e.g. Ubuntu Trusty up to now).

This was the first time, I tried to cooperate with others for fixing
via Linux distros instead only via Ubuntu and upstream, but even with
patch available, this did not speed up the process from discovery to
patching. So embargo time has ended but no patch available yet.

With that in mind, what would be best next steps for all those known
and also future issues?

As I know about the problems with uncoordinated full disclosure, but
bearing in mind, that full disclosure is also a method of enabling
those wanting to protect themselves, I am inclined to try this procedure:

* Send a pre-announce about 3 more userns related issues allowing
local root gain, thus proofing needs to audit the code more closely.

* Request developers to provide a mitigation workaround as kernel
module, that, as long as loaded a) disables userns as such or variant
b) just disables mounting within userns when not being host-uid-0.
Such a module should mitigate worst effects for production
environments but may leave other platforms (embedded? phones?)
unprotected.

* Module should be very simple to develop and perhaps distribute as
e.g. Ubuntu PPA addon-package to current kernel. So give whole public
2 days time for mitigation module.

* No matter if module is available or not (if not, that means that the
issues is irrelevant from security perspective). Hence full disclosure
cannot do any further harm.

Opinions?

hd

PS: As the number of issues currently in processing are way too large
for sparetime handling, coordination is getting worse. So quite
likely, different parties might be out of sync already.

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlaemC8ACgkQxFmThv7tq+411wCgjLx73cl3pKj/mvhIJC0EcrYb
8AAAni5TlXemvoPf/xei0tYHpjNhJA6q
=klHo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.