Re: CLONE_NEWUSER|CLONE_FS root exploit

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/13/2013 09:39 AM, Sebastian Krahmer wrote:
> Hi,
>
> Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden 
> combination. During evaluating the new user namespace thingie, it
> turned out that its trivially exploitable to get a (real) uid 0, as
> demonstrated here:
>
> http://stealth.openwall.net/xSports/clown-newuser.c
>
> The trick is to setup a chroot in your CLONE_NEWUSER, but also
> affecting the parent, which is running in the init_user_ns, but
> with the chroot shared. Then its trivial to get a rootshell from
> that.
>
> Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).
>
> I hope I didnt make anything wrong, mixing up the UIDs, or disabled
> important checks during kernel build on my test system. ;)
>
> regards, Sebastian

Nice find. Please use CVE-2013-1858  for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRQW0QAAoJEBYNRVNeJnmT13QP/3WAEnBORPsiS8FhPQjRfryR
h6xVRRVAQWxUgAfCCG0c0lbO9pqXHCJtUASGk3ml+x3LWywYFSFnr7bqeMmGI5/9
16feyAefwruzTn0gDyPgSJeJrE6orqj1nCQvYgS2wzuP9UzWbhvX8AXPV3KnL6zz
0l2xv2rjvFJ//vk7VcF0bAnVLfHXG3teP2mhnSs8kJ1g+pdrxMJz81Y445NJNwD+
FUoIOOLXBIghFuKzd2YM7tpPT4gW/W9tp1SSnazokT1ErXmuqJJ9cboV9ohPPh2p
k2/1X62DWfe60ANsb/kyYfInxA1Qb6SH4FtbrjOgf4UbLtHO9nbR91XB5ZnUAd+5
8iWcDqvXSbUXIpCG3fAW9bQTP/VMSiE92d0KfOhHJ/YHIcbtqE6XTPp6jqzMJv2E
bRtOGGKexbkneCZtnskJk6RNxVzahdtheyyfQYk59b+4yB9m8/+O3KAuUt6xKWDp
La/U3rTdm9/VFwMQoDFozmdiPJYlmFD7ePGaNQwxHb48BM7W+3htnE0aUqBD4Npn
GjI7xgz2Bfah+2bxazzhtEBPDnf69T9YSp02jT5wYoWNE7JP2x4rmPRW6U2Y0FR6
5CcKzmJV0wM0kAKCQp8hMuafsa3op+wgWDiKes2Y1TNgLievjyzZ8N1cS+8kWVdR
yIPXkaL4FisQsUNSHcmv
=YjMj
-----END PGP SIGNATURE-----