LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Multipath TCP: an overview

LWN.net Weekly Edition for March 21, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

CLONE_NEWUSER|CLONE_FS root exploit

[Posted March 20, 2013 by mkerrisk]

From:  Sebastian Krahmer <krahmer-l3A5Bk7waGM-AT-public.gmane.org>
To:  oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8-AT-public.gmane.org
Subject:  CLONE_NEWUSER|CLONE_FS root exploit
Date:  Wed, 13 Mar 2013 16:39:56 +0100
Message-ID:  <20130313153956.GA15277@suse.de>
Archive-link:  Article, Thread 

Hi,

Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden
combination.
During evaluating the new user namespace thingie, it turned out
that its trivially exploitable to get a (real) uid 0,
as demonstrated here:

http://stealth.openwall.net/xSports/clown-newuser.c

The trick is to setup a chroot in your CLONE_NEWUSER,
but also affecting the parent, which is running
in the init_user_ns, but with the chroot shared.
Then its trivial to get a rootshell from that.

Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).

I hope I didnt make anything wrong, mixing up the UIDs,
or disabled important checks during kernel build on my test
system. ;)

regards,
Sebastian

-- 

~ perl self.pl
~ $_='print"\$_=\47$_\47;eval"';eval
~ krahmer-l3A5Bk7waGM@public.gmane.org - SuSE Security Team
(Log in to post comments)

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds