oss-sec mailing list archives

Re: CVE Request: ro bind mount bypass using user namespaces

From: Andy Lutomirski <luto () amacapital net>
Date: Tue, 12 Aug 2014 16:54:14 -0700

On 08/12/2014 02:48 PM, Kenton Varda wrote:

Due to a bug in the Linux kernel's implementation of remount, on systems
with unprivileged user namespaces enabled, it is possible for an
unprivileged user to gain write access to any visible read-only bind mount.
It is also possible to bypass flags like nodev, nosuid, and noexec.

This problem affects sandboxing / containerization systems that do not
expose the regular filesystem to the sandboxed process, but do expose a
bind-mounted view of that filesystem using these flags to enforce security.
This bug may enable a sandbox break-out. Sandboxes which have used
seccomp-bpf to disable the "mount" system call or to disable user
namespaces are likely safe.


nosuid/nodev failures are probably exploitable for full root in many
common configurations.

--Andy

Current thread:

CVE Request: ro bind mount bypass using user namespaces Kenton Varda (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
  - Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
    - Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
  - Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces cve-assign (Aug 12)
  - Re: CVE Request: ro bind mount bypass using user namespaces Kenton Varda (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Yves-Alexis Perez (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Sven Kieske (Aug 13)
- <Possible follow-ups>
- Re: CVE Request: ro bind mount bypass using user namespaces Vitaly Nikolenko (Aug 14)