Date: Mon, 18 Mar 2013 16:36:40 +0100 From: Agostino Sarubbo <ago@...too.org> To: oss-security@...ts.openwall.com Subject: Re: CLONE_NEWUSER|CLONE_FS root exploit On Wednesday 13 March 2013 18:33:00 Greg KH wrote: > On Thu, Mar 14, 2013 at 09:03:20AM +0800, Eugene Teo wrote: > > On 14 Mar, 2013, at 8:59 AM, Eugene Teo <eugeneteo@...nel.sg> wrote: > > > On 13 Mar, 2013, at 11:39 PM, Sebastian Krahmer <krahmer@...e.de> wrote: > > >> Hi, > > >> > > >> Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden > > >> combination. > > >> During evaluating the new user namespace thingie, it turned out > > >> that its trivially exploitable to get a (real) uid 0, > > >> as demonstrated here: > > >> > > >> http://stealth.openwall.net/xSports/clown-newuser.c > > >> > > >> The trick is to setup a chroot in your CLONE_NEWUSER, > > >> but also affecting the parent, which is running > > >> in the init_user_ns, but with the chroot shared. > > >> Then its trivial to get a rootshell from that. > > >> > > >> Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64). > > >> > > >> I hope I didnt make anything wrong, mixing up the UIDs, > > >> or disabled important checks during kernel build on my test > > >> system. ;) > > > > > > https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/? > > > id=aea8b5d1e5c5482e7cdda849dc16d728f7080289> > > I realised that the link is incorrect. Will post again when I see the > > patches. > It is commit e66eded8309ebf679d3d3c1f5820d1f2ca332c71 in Linus's tree, > so replace the sha in the above link with this one instead. Someone know exactly in which version the bug appears and which series are affected? -- Agostino Sarubbo Gentoo Linux Developer
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.