exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

vserverProcFS.txt

vserverProcFS.txt
Posted Jul 3, 2004
Authored by Veit Wahlich | Site ircnet.de

VServer versions 1.27 and below (Linux 2.4 stable branch), 1.3.9 and below (Linux 2.4 devel branch), and 1.9.1 and below (Linux 2.6 devel branch) all allow for modifications to the proc filesystem that inadvertently propagate to the real underlying OS.

tags | advisory
systems | linux
SHA-256 | 7ffc22d961ef95fc284f23621c084bd80a36e00a3cb7c901b9467e72943cd656

vserverProcFS.txt

Change Mirror Download
Linux Virtual Server/Secure Context procfs shared permissions flaw
==================================================================

2004-07-02, Veit Wahlich <cru@zodia.de>

Official location of this document: http://ircnet.de/article.shtml?vsproc


Product|
-------+

Linux Virtual Server extends the Linux kernel to provide the ability to
run several virtual servers on a single host system. In contrast to
other virtualization attempts Linux Virtual Server uses a split-
userland architechture under a single kernel to optimize sharing of all
resources and reduce resource consumption overhead per VM to the
absolute minimum.
http://www.linux-vserver.org/


Synopsis|
--------+

During a security audit on the vproc security scheme a permission-
sharing vulnerability was discovered.


Vulnerable|
----------+

<= 1.27 (Linux 2.4 stable branch)
<= 1.3.9 (Linux 2.4 devel branch)
<= 1.9.1 (Linux 2.6 devel branch)


Severity|
--------+

- local DoS
- creation of information leaks

See details below.


History|
-------+

2004-06-30 vuln discovered
2004-07-02 vendor informed
2004-07-03 first vendor response, confirmation
2004-07-04 official fix available, advisory release


Description|
-----------+

While auditing and experimenting with VServer procfs and vproc security
we discovered a problem sharing permissions on the procfs mounted
directories:

Within any context users are still able to change permissions on /proc,
both access permission and ownership. That is just fine as many people
would like to restrict access to /proc to the root user or a group of
trusted users.

But as changes to a procfs mountpoint do not apply to the mountpoint
itself but to procfs in general, these changes affect all contexts
(VServers) and even the host system.

All tests were done against the stable branch (1.2x) but regarding to
Herbert Poetzl, the problem exists on both devel branches (1.3.x,
1.9.x), too.

Version 1.28 (stable branch) resolves this problem.


Exploitation|
------------+

The vulnerability may be locally exploited in two ways:

1. From within a virtual server a denial of service attack (DoS) may be
provoked towards other virtual servers and the host system.
By setting permissions that prevent users other than root to read
information from procfs (i.e. process information) will disable a wide
range of services.

2. On systems where access to procfs is allowed to root only (or to a
group of trusted users; i.e. shared hosting environments), an attacker
may use access to another virtual server to gain critical information
about processes or other data on the primary target virtual server (or
the host system).


Work-around|
-----------+

To work around this problem, procfs may be mounted read-only. On the
host-system do:

# mount -o remount,ro /proc

As this also prevents the host system from changing any values in
/proc, this should just be a temporary solution!
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close