oss-sec mailing list archives

Re: CVE Request: Linux kernel: privilege escalation in user namespaces

From: Fiedler Roman <Roman.Fiedler () ait ac at>
Date: Mon, 21 Dec 2015 09:05:27 +0000

Von: Marc Deslauriers [mailto:marc.deslauriers () canonical com]

Hi,

On 2015-12-18 03:54 AM, Fiedler Roman wrote:

Hi,

Von: John Johansen [mailto:john.johansen () canonical com]
Betreff: [oss-security] CVE Request: Linux kernel: privilege escalation 
in
user
namespaces

Hi,

I haven't seen CVE request for this one yet so,

Jann Horn reported a privilege escalation in user namespaces to the lkml
mailing list

https://lkml.org/lkml/2015/12/12/259

if a root-owned process wants to enter a user namespace for some

reason

without knowing who owns it and therefore can't change to the

namespace

owner's uid and gid before entering, as soon as it has entered the
namespace, the namespace owner can attach to it via ptrace and thereby
gain access to its uid and gid.


Could it be, that this is identical to

https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050

which led to

https://bugs.launchpad.net/bugs/cve/2015-1334

except, that combined with another timerace, this gives host uid 0

escalation

no matter how the target namespace looks like or target uid is known or

not?


The bug is marked as fixed, but looking at it, the very similar kernel 
issue
seems not be addressed and it is also still marked "private security"

although

fix was released.

I could ask Ubuntu Security if we should make that bug public or perhaps

could

add accounts to the list of authorized users when told the Launchpad user

name

to add.


I've just made the bug public. It was an oversight that we hadn't made it
public
once the fix got released.


Has someone looked already, if the latest patches addressed the  same problem? 
Otherwise making https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050 
public just released a fully working zero day exploit.

Kind Regards,
Roman Fiedler

Attachment: smime.p7s
Description:

Current thread:

CVE Request: Linux kernel: privilege escalation in user namespaces John Johansen (Dec 17)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Jann Horn (Dec 17)
  - Re: Re: CVE Request: Linux kernel: privilege escalation in user namespaces Serge Hallyn (Dec 17)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Solar Designer (Dec 17)
- AW: CVE Request: Linux kernel: privilege escalation in user namespaces Fiedler Roman (Dec 18)
  - Re: AW: CVE Request: Linux kernel: privilege escalation in user namespaces Marc Deslauriers (Dec 18)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Salvatore Bonaccorso (Dec 27)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces cve-assign (Dec 31)
- <Possible follow-ups>
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Fiedler Roman (Dec 21)