Hi,
I recently looked at the AUFS file system from a security point of view
and found out a security issue. Here is full disclosure on the bug
found a
Bug Class:
BypassingA nosuidA mount option. Escalation of Privileges
Technical Details
Summary:
An attacker with a low-privileged user on a Linux machine with an AUFS
mount that has a file capability in one of its branches may escalate
his privileges up to root when copying a capable file from
aA nosuidA mount into another mount.
In details:
If there is an AUFS mount that one of its branches contains a file with
capabilities, and it is a read-only fs, an attacker with low-privileged
user can useA mvA to rename the file, which causes the AUFS driver to
copy the file with its capabilities into a different branch. That way
the attacker can now execute the file with its capabilities, thus
escalating its privileges.
It is important to note that when a user tries to execute a file from
aA nosuidA mount, all of the file's capabilities are ignored.
Build:
Any Linux machine with the AUFS driver installed.
For example - AWS EC2 Ubuntu 20.04 with aufs-tools installed.
1. Mount a device to any folder.
2. Copy any file with capabilities into that folder.
3. Remount the device now withA nosuidA andA roA options.
4. mount a AUFS mount where there are two branches. Make sure the
"lower" branch is the branch with the capable file.
Execution:
1. As a low-priv userA cdA into the AUFS root.
2. ExecuteA mv capable_file _cp_capble_file
3. cdA to the higher branch directory.
4. Execute the capable binary.
Expected Results:
When copying a capable file using a low privileged user, the file
should be copied without any file capabilities.
Observed Results:
The new file that appears in the second branch directory has the same
capabilities as the file that had been copied. This behavior occurs
probably because an AUFS driver's process is the one responsible for
the copying, and it copies the whole file with its extended attributes.
Mitigation:
When copying up a file, make sure that the file has no capabilities
attached. If the file does have capabilities, strip those down from the
newly created file.
Thank you,
Alon Zahavi.
