CLONE_NEWUSER trickery: CVE-2013-1858

 
Recent kernels (3.8+ something) introduced a feature called
user-namespaces (user-ns, CLONE_NEWUSER flag)
in which you can have your own UID 0.
Think of it as a container solution, so you can
set up compartments on a host. A nice thing,
but it has some security implications. In particular
if you mix this feature with CLONE_FS, which means
that the file-system state is shared between the
containers (e.g. processes). You suddenly get this:

The problem here is that parent and child share the
FS info (the chroot in this case), but only the child
has got its own user-ns. Since it has the
capability to do the chroot() in its own user-ns,
it will succeed doing the chroot() syscall but due to
CLONE_FS, it will also affect the parent.
Parent however stays in the init user-ns (the user-ns
that is default upon boot and the namespace where you
want to have root).
Getting a rootshell from inside a user controlled chroot
with help from outside processes is straight forward.

The xSports can be found here.

Update:
A CVE has been assigned (CVE-2013-1858) and a patch was made.

[FW]CLONE_NEWUSER trickery: CVE-2013-1858的更多相关文章

  1. Visual Studio 2013 和 ASP.NET 预览

    VS 2013预览版在2013的TechEd大会由Brain Harry正式发布.这次发布包括了一系列的新特性:工程模板.Scaffolding 升级和Web工具.当你在VS 2013创建一个新工程的 ...

  2. 关于2013年1月21日的DNS故障分析文章

    首页 资讯 小组 资源 注册 登录       首页 最新文章 业界 开发 IT技术 设计 创业 IT职场 访谈 在国外 经典回顾 更多 > - 导航条 - 首页 最新文章 业界 - Googl ...

  3. 2013年新统计全国省市县以及邮政编码SQL数据脚本

    USE [imei8com] GO /****** Object: Table [dbo].[Zone] Script Date: 03/12/2014 15:05:41 ******/ SET AN ...

  4. 应用安全-软件安全-漏洞CVE整理

    jira ssrf CVE-2019-8451 url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu ...

  5. 2013 Asia Changsha Regional Contest---Josephina and RPG(DP)

    题目链接 http://acm.hdu.edu.cn/showproblem.php?pid=4800 Problem Description A role-playing game (RPG and ...

  6. SharePoint 2013: A feature with ID has already been installed in this farm

    使用Visual Studio 2013创建一个可视web 部件,当右击项目选择"部署"时报错: "Error occurred in deployment step ' ...

  7. Visual Studio 2013 添加一般应用程序(.ashx)文件到SharePoint项目

    默认,在用vs2013开发SharePoint项目时,vs没有提供一般应用程序(.ashx)的项目模板,本文解决此问题. 以管理员身份启动vs2013,创建一个"SharePoint 201 ...

  8. SharePoint 2013 create workflow by SharePoint Designer 2013

    这篇文章主要基于上一篇http://www.cnblogs.com/qindy/p/6242714.html的基础上,create a sample workflow by SharePoint De ...

  9. Install and Configure SharePoint 2013 Workflow

    这篇文章主要briefly introduce the Install and configure SharePoint 2013 Workflow. Microsoft 推出了新的Workflow ...

随机推荐

  1. 解决MVC中textarea出现多余空格的问题

    public static MvcHtmlString FixedTextAreaFor<TModel, TProperty>(this HtmlHelper<TModel> ...

  2. HDFS文件的基本操作

    HDFS文件的基本操作: package wjn; import java.io.BufferedInputStream; import java.io.BufferedReader; import ...

  3. form 表单的name

    form 中 的name 很重要, 1. 可以用来查找对应的input 2.form 提交之后 会用来作为参数列表的名字 3.enovia plm 中,name 会和 table 的field 进行对 ...

  4. LeetCode Linked List Medium 2. Add Two Numbers

    Description You are given two non-empty linked lists representing two non-negative integers. The dig ...

  5. 笔记73 高级SSM整合2

    遇到的问题: 1.表单信息校验:jQuery前端校验,ajax用户名重复校验,重要信息后端校验(JSR303)+数据库约束 2.在设置下拉列表显示的值时出现问题. 3.邮箱也添加重复性校验 4.pub ...

  6. 使用Maven创建Web项目(转)

    转自:http://ju.outofmemory.cn/entry/49508 本文通过Maven完成一个简单的Web项目(注意,Spring配置不是重点,看看就行) 1.从Maven模板创建Web应 ...

  7. 转 关于HTML5中meta name="viewport" 的用法 不同分辨率手机比例缩放

    移动端的布局不同于pc端,首先我们要知道在移动端中,css中的1px并不等于物理上的1px,因为手机屏幕的分辨率已经越来越高,高像素但是屏幕尺寸却没有发生太大变化,那就意味着一个物理像素点实际上塞入了 ...

  8. Spring整合Struts2的两种方式

    https://blog.csdn.net/cuiyaoqiang/article/details/51887594

  9. Python Socket(未编辑)

    客户端 import socket 导入socket模块 client = socket.socket() 声明socket协议类型,同时生成socket连接对象 client.connect(('l ...

  10. tp框架数据查询,增删改

    select()是数据模型的一个指定方法,可以获得数据表的数据信息 返回一个二维数组信息,当前数据表的全部数据信息 $obj = D();  创建对象 $obj -> select();  查询 ...