what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Linux Kernel USERNS Issues

Linux Kernel USERNS Issues
Posted Feb 26, 2016
Authored by halfdog

The Linux kernel suffers from multiple privilege escalation vulnerabilities.

tags | advisory, kernel, vulnerability
systems | linux
SHA-256 | 0b1307cf1bccf05f7afed496f827ea994587f2a9aabae71db2922ee6a1d127fd

Linux Kernel USERNS Issues

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello List,

Here are some issues recently discovered:

* Overlayfs over Fuse Privilege Escalation: On some systems, e.g.
Ubuntu Wily, it is possible to place an USERNS overlayfs mount over a
fuse (file system in userspace) mount. Inactive SUID binaries in the
user-controllable fuse filesystem may then be copied to other
filesystems in copy_up, thus allowing unprivileged users to create
arbitrary SUID binaries on the disk. Read more...

(CRD 20160222)

http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/


* User Namespaces Overlayfs Xattr Setgid Privilege Escalation:
Overlayfs allows to mix content of two filesystems, e.g. read-only
medium with r/w RAM-fs. This is also allowed within user namespaces.
As overlayfs does not initialize xattr ACLs when copying files,
malicious user may gain write access to SGID directories and further
gain full member access to that group. As member of group root or
staff escalation to user root might be simple.

(CRD 20160222)

http://www.halfdog.net/Security/2016/UserNamespaceOverlayfsXattrSetgidPrivilegeEscalation/

* Access to all /dev/pts devices via pt_chown and user namespaces:
/usr/lib/pt_chown was used to change ownership of slave pts devices in
/dev/pts to the same uid holding the master file descriptor for the
slave. Another devpts instance mountend within user namespace allows
unprivileged user to fool pt_chown to operate on file descriptors from
inside namespace but change ownership of device with same number
outside the namespace.

(Issue too old, no clear fix on the way - see oss-security discussion.)

http://www.halfdog.net/Security/2015/PtChownArbitraryPtsAccessViaUserNamespace/

* Aufs Union Filesystem Privilege Escalation In User Namespaces: Aufs
is a union filesystem to mix content of different underlying
filesystems, e.g. read-only medium with r/w RAM-fs. That is also
allowed in user namespaces when module was loaded with allow_userns
option. Due to different bugs, aufs in a crafted USERNS allows
privilege escalation, which is a problem on systems enabling
unprivileged USERNS by default, e.g. Ubuntu Wily.

(This is fixed upstream, but not merged in to kernel mainline. As
issue not so critical and nearly identical to one below, better FD to
let user protect ...)

http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/

hd

- --
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88 2BD8 C459 9386 feed a bee
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlbMFMgACgkQxFmThv7tq+699QCgk0+iF9HH++T16vf1PC3s5E1o
nCoAoIT6vULxdxA8nQaj3sCjwCFKLxmH
=ci4J
-----END PGP SIGNATURE-----


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close