Ubuntu
lxc package

Security bugfix in lxc-sshd template: add ro to the init-script

Bug #1261045 reported by usrflo
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
lxc (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Won't Fix
Medium
Unassigned
Quantal
Won't Fix
Medium
Unassigned
Raring
Won't Fix
Medium
Unassigned
Saucy
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned

Bug Description

Being logged in inside a container that was created with the lxc-sshd template the mount of $rootfs/sbin/init allows to modify the init script of the container. So harm could be done to the host system at the next execution of lxc-start or lxc-create -t sshd. This can be used to gain root access since lxc is likely to be run by root.

-lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none bind 0 0
+lxc.mount.entry=@LXCTEMPLATEDIR@/lxc-sshd $rootfs/sbin/init none ro,bind 0 0

(see https://github.com/dotcloud/lxc/pull/1)

CVE References

Revision history for this message
usrflo (sager) wrote :

I re-checked in detail, the execution of lxc-start is unproblematic since the init script is run inside the container.
But the execution of lxc-create -t sshd for the next container can be exploited.

Please correct in my bug report:

>>>
... So harm could be done to the host system at the next execution of lxc-create -t sshd.
<<<

For your re-test:

1) add "echo I am `id` on `hostname`" to the template lxc-sshd

2) exploit:
root@agiadm:/usr/lib/lxc/templates# lxc-create -n ssh2 -t sshd

No config file specified, using the default config
I am uid=0(root) gid=0(root) Gruppen=0(root) on agiadm
...
'sshd' template installed
'ssh2' created

3) no problem:
root@agiadm:/usr/lib/lxc/templates# lxc-start -n ssh2
I am uid=0(root) gid=0(root) Gruppen=0(root) on ssh2
/usr/lib/lxc/lxc-init ist /usr/lib/lxc/lxc-init

Revision history for this message
usrflo (sager) wrote :

Please be aware that the sshd template creates config files inside /var/lib/lxc/*/config that include the incorrect mount-configuration:
> lxc.mount.entry=/usr/lib/lxc/templates/lxc-sshd sbin/init none bind 0 0

These configs have to be patched besides the template itself.

Marc Deslauriers (mdeslaur)
information type: Private Security → Public Security
Changed in lxc (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Marc Deslauriers (mdeslaur)
Changed in lxc (Ubuntu Precise):
status: New → Confirmed
Changed in lxc (Ubuntu Quantal):
status: New → Confirmed
Changed in lxc (Ubuntu Raring):
status: New → Confirmed
Changed in lxc (Ubuntu Saucy):
status: New → Confirmed
Changed in lxc (Ubuntu Trusty):
status: Confirmed → Fix Released
Changed in lxc (Ubuntu Precise):
importance: Undecided → Medium
Changed in lxc (Ubuntu Quantal):
importance: Undecided → Medium
Changed in lxc (Ubuntu Raring):
importance: Undecided → Medium
Changed in lxc (Ubuntu Saucy):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package lxc - 1.0.0~alpha1-0ubuntu14.1

---------------
lxc (1.0.0~alpha1-0ubuntu14.1) saucy-security; urgency=low

  * SECURITY UPDATE: privilege escalation via sshd template (LP: #1261045)
    - debian/patches/CVE-2013-6441.patch: don't bind-mount /sbin/init
      read-write in templates/lxc-sshd.in.
    - CVE-2013-6441
 -- Marc Deslauriers <email address hidden> Thu, 16 Jan 2014 08:55:20 -0500

Changed in lxc (Ubuntu Saucy):
status: Confirmed → Fix Released
Jamie Strandboge (jdstrand)
Changed in lxc (Ubuntu Raring):
status: Confirmed → Won't Fix
Jamie Strandboge (jdstrand)
Changed in lxc (Ubuntu Quantal):
status: Confirmed → Won't Fix
Stéphane Graber (stgraber)
Changed in lxc (Ubuntu Precise):
status: Confirmed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.