oss-sec mailing list archives
Re: CVE Request: ro bind mount bypass using user namespaces
From: Andy Lutomirski <luto () amacapital net>
Date: Tue, 12 Aug 2014 22:43:00 -0700
On Tue, Aug 12, 2014 at 10:04 PM, Andy Lutomirski <luto () amacapital net> wrote:
On Tue, Aug 12, 2014 at 4:54 PM, Andy Lutomirski <luto () amacapital net> wrote:On 08/12/2014 02:48 PM, Kenton Varda wrote:Due to a bug in the Linux kernel's implementation of remount, on systems with unprivileged user namespaces enabled, it is possible for an unprivileged user to gain write access to any visible read-only bind mount. It is also possible to bypass flags like nodev, nosuid, and noexec.
...
Yup. I have a fairly reliable exploit now. Will post the code in a couple of weeks.
To clarify: my exploit has nothing to do with sandboxing. It roots default-ish configurations of Fedora 20 and Ubuntu 14.04. --Andy
Current thread:
- CVE Request: ro bind mount bypass using user namespaces Kenton Varda (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces cve-assign (Aug 12)
- Re: CVE Request: ro bind mount bypass using user namespaces Kenton Varda (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Yves-Alexis Perez (Aug 13)
- Re: CVE Request: ro bind mount bypass using user namespaces Sven Kieske (Aug 13)
- <Possible follow-ups>
- Re: CVE Request: ro bind mount bypass using user namespaces Vitaly Nikolenko (Aug 14)
- Re: CVE Request: ro bind mount bypass using user namespaces Andy Lutomirski (Aug 12)