oss-sec mailing list archives

Re: Re: Firejail local root exploit

From: Marcus Meissner <meissner () suse de>
Date: Fri, 6 Jan 2017 11:11:53 +0100

Hi Mitre,

On Wed, Jan 04, 2017 at 12:16:49PM -0500, cve-assign () mitre org wrote:

 * Firejail has too broad attack surface that allows users
 * to specify a lot of options, where one of them eventually
 * broke by accessing user-files while running with euid 0.

const char *const ldso = "/etc/ld.so.preload";
...
snprintf(path, sizeof(path) - 1, "%s/.firenail/.Xauthority", home);
...
symlink(ldso, path)


Use CVE-2017-5180.


Is this correct? It starts quite far into the 2017 namespace?

Or have other CNAs allocated the previous 5000 ?

Ciao, Marcus

Current thread:

Re: Re: Firejail local root exploit, (continued)
- - - Re: Re: Firejail local root exploit sivmu (Jan 06)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
    - Re: Re: Firejail local root exploit Simon McVittie (Jan 08)
    - Re: Re: Firejail local root exploit Brad Spengler (Jan 08)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
    - Re: Re: Firejail local root exploit Lizzie Dixon (Jan 06)
    - Re: Firejail local root exploit cve-assign (Jan 07)
    - Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
    - Re: Firejail local root exploit cve-assign (Jan 07)
  - Re: Re: Firejail local root exploit Marcus Meissner (Jan 06)
    - Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Firejail local root exploit KellerFuchs (Jan 05)
- Re: Firejail local root exploit Ion Ionescu (Jan 29)
  - Re: Re: Firejail local root exploit Thomas Deutschmann (Jan 31)
- Re: Re: Firejail local root exploit Thomas Deutschmann (Feb 09)