Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 29 Nov 2015 23:43:09 +0100
From: Richard Weinberger <>
To: "" <>
Cc: "" <>,
 "" <>,
 "" <>,,
 Stephen Hemminger <>
Subject: user controllable usermodehelper in br_stp_if.c


By spawning new network and user namesapces an unprivileged user
is able to execute /sbin/bridge-stp within the initial mount namespace
with global root rights.
While this cannot directly be used to break out of a container or gain
global root rights it could be used by exploit writers as valuable building block.

$ unshare -U -r -n /bin/sh
$ brctl addbr br0
$ brctl stp br0 on # this will execute /sbin/bridge-stp

As this mechanism clearly cannot work with containers and seems to be legacy code
I suggest not calling call_usermodehelper() at all if we're not in the initial user namespace.
What do you think?


Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.