Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Linux user namespaces overlayfs local root

From: halfdog <me () halfdog net>
Date: Sun, 10 Jan 2016 13:07:04 +0000
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Preamble:

As the issue described herein was fixed 20161206 in Linux Kernel
already and publicly disclosed as security vulnerability 20151224,
here is a short writeup and POC exploit to understand the issue and
perform testing.

Description:

Linux user namespace allows to mount file systems as normal user,
including the overlayfs. As many of those features were not designed
with namespaces in mind, this increase the attack surface of the Linux
kernel interface. Due to missing security checks when changing mode of
files on overlayfs, a SUID binary can be created within user namespace
but executed from outside to gain root privileges.

Overlayfs was intended to allow create writeable filesystems when
running on readonly medias, e.g. on a live-CD. In such scenario, the
lower filesystem contains the read-only data from the medium, the
upper filesystem part is mixed with the lower part. This mixture is
then presented as an overlayfs at a given mount point. When writing to
this overlayfs, the write will only modify the data in upper, which
may reside on a tmpfs for that purpose.

One problematic use case is the modification of file or attributes of
files on the overlayfs within a user namespace. A user without any
capabilities on the host is given CAP_SYSADMIN within the user
namespace, thus having capabilities to change the attributes of files
on the overlayfs when not checking, if the host-system user would also
have the capability to change the attributes of the file without
having CAP_SYSADMIN there also. As this check was missing, the process
within namespace could gain read/write access to arbitrary files.
Combined with the SUID-write technique from a previous article
(SetgidDirectoryPrivilegeEscalation), modification of host-UID-0
SUID-binaries allows escalation to host root user.

Read more at
http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/

hd

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlaSV0wACgkQxFmThv7tq+4ZHACePbBusIsknx0vXdcT3Tk/KF/y
WkQAn2nC/kUeuQBTyZsAbWl7Qvxn1WDE
=BUKF
-----END PGP SIGNATURE-----

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Previous By Date Next
Previous By Thread Next

Current thread: