Full Disclosure mailing list archives
Linux user namespaces overlayfs local root
From: halfdog <me () halfdog net>
Date: Sun, 10 Jan 2016 13:07:04 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello List, Preamble: As the issue described herein was fixed 20161206 in Linux Kernel already and publicly disclosed as security vulnerability 20151224, here is a short writeup and POC exploit to understand the issue and perform testing. Description: Linux user namespace allows to mount file systems as normal user, including the overlayfs. As many of those features were not designed with namespaces in mind, this increase the attack surface of the Linux kernel interface. Due to missing security checks when changing mode of files on overlayfs, a SUID binary can be created within user namespace but executed from outside to gain root privileges. Overlayfs was intended to allow create writeable filesystems when running on readonly medias, e.g. on a live-CD. In such scenario, the lower filesystem contains the read-only data from the medium, the upper filesystem part is mixed with the lower part. This mixture is then presented as an overlayfs at a given mount point. When writing to this overlayfs, the write will only modify the data in upper, which may reside on a tmpfs for that purpose. One problematic use case is the modification of file or attributes of files on the overlayfs within a user namespace. A user without any capabilities on the host is given CAP_SYSADMIN within the user namespace, thus having capabilities to change the attributes of files on the overlayfs when not checking, if the host-system user would also have the capability to change the attributes of the file without having CAP_SYSADMIN there also. As this check was missing, the process within namespace could gain read/write access to arbitrary files. Combined with the SUID-write technique from a previous article (SetgidDirectoryPrivilegeEscalation), modification of host-UID-0 SUID-binaries allows escalation to host root user. Read more at http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/ hd - -- http://www.halfdog.net/ PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlaSV0wACgkQxFmThv7tq+4ZHACePbBusIsknx0vXdcT3Tk/KF/y WkQAn2nC/kUeuQBTyZsAbWl7Qvxn1WDE =BUKF -----END PGP SIGNATURE----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Linux user namespaces overlayfs local root halfdog (Jan 11)