Date: Wed, 20 Jan 2016 09:06:03 -0600 From: Tyler Hicks <tyhicks@...onical.com> To: oss-security@...ts.openwall.com Cc: Jann Horn <jann@...jh.net> Subject: Security issue in eCryptfs-utils (CVE-2016-1572) Jann Horn discovered that the setuid-root mount.ecryptfs_private helper would mount over any target directory that the user owns. This included procfs. A user could mount over the /proc/<PID> of a process that they own and maliciously craft files in that mount point with the intent to confuse privileged processes that interact with those files. Once the crafted mount point was set up, the reporter used the newuidmap program (also setuid-root) to escalate his privileges by confusing it with the files in the crafted mount point. This issue was assigned CVE-2016-1572. The upstream fix prevents the attack by creating a whitelist of mount target filesystem types that mount.ecryptfs_private can safely mount over.  https://launchpad.net/bugs/1530566  https://bazaar.launchpad.net/~ecryptfs/ecryptfs/trunk/revision/870 Tyler [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ