Security bugfix in lxc-sshd template: add ro to the init-script

Bug #1261045 reported by usrflo on 2013-12-14
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Medium
Unassigned
Precise
Medium
Unassigned
Quantal
Medium
Unassigned
Raring
Medium
Unassigned
Saucy
Medium
Unassigned
Trusty
Medium
Unassigned

Bug Description

Being logged in inside a container that was created with the lxc-sshd template the mount of $rootfs/sbin/init allows to modify the init script of the container. So harm could be done to the host system at the next execution of lxc-start or lxc-create -t sshd. This can be used to gain root access since lxc is likely to be run by root.

-lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
+lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none ro,bind 0 0

(see https://github.com/dotcloud/lxc/pull/1)

CVE References

usrflo (sager) wrote :

I re-checked in detail, the execution of lxc-start is unproblematic since the init script is run inside the container.
But the execution of lxc-create -t sshd for the next container can be exploited.

Please correct in my bug report:

>>>
... So harm could be done to the host system at the next execution of lxc-create -t sshd.
<<<

For your re-test:

1) add "echo I am `id` on `hostname`" to the template lxc-sshd

2) exploit:
root@agiadm:/usr/lib/lxc/templates# lxc-create -n ssh2 -t sshd

No config file specified, using the default config
I am uid=0(root) gid=0(root) Gruppen=0(root) on agiadm
...
'sshd' template installed
'ssh2' created

3) no problem:
root@agiadm:/usr/lib/lxc/templates# lxc-start -n ssh2
I am uid=0(root) gid=0(root) Gruppen=0(root) on ssh2
/usr/lib/lxc/lxc-init ist /usr/lib/lxc/lxc-init

usrflo (sager) wrote :

Please be aware that the sshd template creates config files inside /var/lib/lxc/*/config that include the incorrect mount-configuration:
> lxc.mount.entry=/usr/lib/lxc/templates/lxc-sshd sbin/init none bind 0 0

These configs have to be patched besides the template itself.

information type: Private Security → Public Security
Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in lxc (Ubuntu Precise):
status: New → Confirmed
Changed in lxc (Ubuntu Quantal):
status: New → Confirmed
Changed in lxc (Ubuntu Raring):
status: New → Confirmed
Changed in lxc (Ubuntu Saucy):
status: New → Confirmed
Changed in lxc (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in lxc (Ubuntu Precise):
importance: Undecided → Medium
Changed in lxc (Ubuntu Quantal):
importance: Undecided → Medium
Changed in lxc (Ubuntu Raring):
importance: Undecided → Medium
Changed in lxc (Ubuntu Saucy):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.0~alpha1-0ubuntu14.1

---------------
lxc (1.0.0~alpha1-0ubuntu14.1) saucy-security; urgency=low

  * SECURITY UPDATE: privilege escalation via sshd template (LP: #1261045)
    - debian/patches/CVE-2013-6441.patch: don't bind-mount /sbin/init
      read-write in templates/lxc-sshd.in.
    - CVE-2013-6441
 -- Marc Deslauriers <email address hidden> Thu, 16 Jan 2014 08:55:20 -0500

Changed in lxc (Ubuntu Saucy):
status: Confirmed → Fix Released
Changed in lxc (Ubuntu Raring):
status: Confirmed → Won't Fix
Changed in lxc (Ubuntu Quantal):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers