oss-sec mailing list archives

Re: Access to /dev/pts devices via pt_chown and user namespaces

From: cve-assign () mitre org
Date: Sun, 6 Mar 2016 21:03:38 -0500 (EST)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/

http://www.openwall.com/lists/oss-security/2016/02/23/3

... condition can be easily created by creating an user namespace,
mounting devpts with the newinstance option, create master and slave
pts pairs until the number overlaps with a target pts outside the
namespace on the host, where there is interest to gain ownership and
then invoke pt_chown.

... intercept all keystrokes and display faked output from
commands never really executed.

http://www.openwall.com/lists/oss-security/2016/02/23/7

glibc documentation clearly states that "the use of pt_chown introduces
additional security risks to the system and you should enable it only
if you understand and accept those risks":
https://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html#index-grantpt-1

http://www.openwall.com/lists/oss-security/2016/02/24/5

So for pt_chown, this could hopefully be
just an Ubuntu issue. Should we assign an CVE for that?

http://www.openwall.com/lists/oss-security/2016/02/24/10
And Debian 8


We think this is currently the best option. Use CVE-2016-2856. This
CVE is about the specific pt_chown finding in the
PtChownArbitraryPtsAccessViaUserNamespace document. Also, we do not
want this to be considered an upstream glibc vulnerability.

(In addition, this CVE is not about whether the pt_chown program
should exist at all, or about whether all users should be able to
create user namespaces. Each of those is an important security topic,
but the importance is a consequence of multiple issues that could be
associated with multiple CVEs.)

The initial CVE-2016-2856 description might look roughly like:

   pt_chown in the glibc package before 2.19-18+deb8u4 on Debian
   jessie lacks a namespace check associated with file-descriptor
   passing, which allows local users to capture keystrokes and spoof
   data, and possibly gain privileges, via pts read and write
   operations, related to debian/sysdeps/linux.mk. NOTE: this is not
   considered a vulnerability in the upstream GNU C Library because
   the upstream documentation has a clear security recommendation
   against the --enable-pt_chown option.

See the
http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=09f7764882a81e13e7b5d87d715412283a6ce403
and
http://anonscm.debian.org/cgit/pkg-glibc/glibc.git/commit/?h=jessie&id=11475c083282c1582c4dd72eecfcb2b7d308c958
commits. Here, Debian jessie is just an example; a similar statement
might be made about Ubuntu Wily Werewolf, etc. The
09f7764882a81e13e7b5d87d715412283a6ce403 commit can be associated with
(at least) two CVE IDs that motivated the change: CVE-2013-2207 (which
is directly mentioned there) and the new CVE-2016-2856.

On the other hand, the TIOCGPTN ioctl still is problematic with
USERNS, also for other tools. I just started with pt_chown for
demonstration because it is SUID, perhaps there are other programs
using this ioctl.

Should information about this risk/attack method just be added to the
kernel docs/man-page of TIOCGPTN or is it a separate vulnerability
with need for addressing (another CVE?).


We don't feel that enough information has been sent to reach a
conclusion about whether the "kernel should prevent the TIOCGPTN ioctl
when invoked called by a process within one namespace but acting on a
filedescriptor from a devpts instance mounted in a different
namespace" recommendation should have a CVE ID. We could, for example,
assign separate CVE IDs to other affected applications (if any)
instead.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJW3ODUAAoJEL54rhJi8gl5zaUP/RRwv6Npic0DYvGFwqCQZq9v
hH5QeGvA6ZYCETdAfsN73wmZ9GlhiXMWwTprDf4Zq3r5yfTzfFzrN7f5hu1hTOPa
/Eonam4l+OML+IymPl85e0wqifeVyJAQj1mk1KYB9tk5jBYcxxARpI3RRt7iC0Jp
+HLo7ayQcEmIE+6XxcVW0C4A5ahBFq75mceqPdJmluNmcBQxx5RHGvJPVeAAAEQA
ccFyqR1lCHlU29WifN99KUjrBzIzR/WzJFvmyL+g8fD7/nA4iT08S8wQf9HbPncv
puFdPn0q23bRwHtH0uOjpdG6V4rWFgSreZW8r+U6xeDYO1yk+uVL1I99s+/0iquH
ghlU4JtbKt8v4nBobh8JGrwdncdpvvS5ojZ9KPVgeBPhe1LAUQRKqiiaAsjRtlDl
tCdIsTnMYV530D9ykw6c82am7Y2ZAW9Tiov6Ug9fHsItAaWMiNzl+AXSMZ6qRPSK
vw0zLIOn4xh9dMKr9VbXN1WX/i/aR6Nbn2ZE7rSF8UlPlff83UeFYhVJ+20iAMXq
sDINreZzpcXRITlsX7h7BDumyrYbNcwNgQMqp9YYV35nA8i4FJubGGHzUAlhrdIh
UF7k+w7nmFN/kgsE0I6Lyi1Ow04F1KvsJfM4+aV/032liDxle7XPl6sZwsOlH7p0
uUXK4WJDDt3SBJQIap5W
=YYhd
-----END PGP SIGNATURE-----

Current thread:

Re: Access to /dev/pts devices via pt_chown and user namespaces, (continued)
- - Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 23)
    - Re: Access to /dev/pts devices via pt_chown and user namespaces halfdog (Feb 23)
    - Re: Access to /dev/pts devices via pt_chown and user namespaces Simon McVittie (Feb 23)
    - Re: Access to /dev/pts devices via pt_chown and user namespaces Dmitry V. Levin (Feb 24)
    - Re: Access to /dev/pts devices via pt_chown and user namespaces Serge Hallyn (Feb 24)
    - Re: Access to /dev/pts devices via pt_chown and user namespaces Jakub Wilk (Feb 27)
  - Re: Access to /dev/pts devices via pt_chown and user namespaces halfdog (Feb 23)
    - Re: Access to /dev/pts devices via pt_chown and user namespaces Alan Coopersmith (Feb 23)
- pt_chown timeline, CVE request [was: Access to /dev/pts devices via pt_chown and user namespaces] Jann Horn (Feb 28)
  - Re: pt_chown timeline, CVE request [was: Access to /dev/pts devices via pt_chown and user namespaces] Aurelien Jarno (Feb 28)
- Re: Access to /dev/pts devices via pt_chown and user namespaces cve-assign (Mar 06)