** Changed in: linux (Ubuntu)
Status: Confirmed => Fix Released
** Information type changed from Private Security to Public Security
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-16120
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1894980
Title:
CVE-2020-16120: unprivileged overlayfs permission checking
Status in linux package in Ubuntu:
Fix Released
Bug description:
Opening this as a tracking bug for CVE-2020-16120
Hi,
while playing with shiftfs I've noticed a strange interaction with
overlay and that seems to allow reading files under an accessible
directory, even if they are not readable to the user who created the
user namespace.
While overlay would not accept a FUSE file system as upper layer, it
seems the check doesn't work when it goes through a shiftfs layer.
For the exploit purpose, I've used fuse-overlayfs only because I am
familiar with it but I'd expect any FUSE file system to behave
in the same way. The additional drop_unlink.patch patch is used only to
inhibit deleting temporary files in fuse-overlayfs.
The steps required are:
1) create a user namespace with an unprivileged user.
2) mount a FUSE file system where we have full control at M1. In
the exploit fuse-overlayfs with a custom patch is used.
3) mount shiftfs from the FUSE mount M1 to a mountpoint M2.
4) mount overlay using /etc as lowerdir and M2 for the upperdir (and
workdir).
5) attempt a "mv M2/shadow M2/something-else".
The shadow file that is coming from the lower layer (/etc/shadow), is
copied to the shiftfs and ultimately to the FUSE file system. The copy
would fail but that happens too late, after the FUSE file system already
received the file content. Since we have full control on the FUSE file
system, we can access the content of /etc/shadow.
For running the exploit, you need to have the fuse-overlayfs
dependencies installed (libc6-dev gcc g++ make automake autoconf pkgconf
libfuse3-dev).
It is enough to run "make" as unprivileged user and if the exploit
succeeds you get the content of the /etc/shadow file under the result/
directory.
Tested on Ubuntu 20.04 with Linux 5.4.0-42-generic.
Thanks,
Giuseppe
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1894980/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
