CLONE_NEWUSER trickery: CVE-2013-1858

 
Recent kernels (3.8+ something) introduced a feature called
user-namespaces (user-ns, CLONE_NEWUSER flag)
in which you can have your own UID 0.
Think of it as a container solution, so you can
set up compartments on a host. A nice thing,
but it has some security implications. In particular
if you mix this feature with CLONE_FS, which means
that the file-system state is shared between the
containers (e.g. processes). You suddenly get this:

The problem here is that parent and child share the
FS info (the chroot in this case), but only the child
has got its own user-ns. Since it has the
capability to do the chroot() in its own user-ns,
it will succeed doing the chroot() syscall but due to
CLONE_FS, it will also affect the parent.
Parent however stays in the init user-ns (the user-ns
that is default upon boot and the namespace where you
want to have root).
Getting a rootshell from inside a user controlled chroot
with help from outside processes is straight forward.

The xSports can be found here.

Update:
A CVE has been assigned (CVE-2013-1858) and a patch was made.

[FW]CLONE_NEWUSER trickery: CVE-2013-1858的更多相关文章

  1. Visual Studio 2013 和 ASP.NET 预览

    VS 2013预览版在2013的TechEd大会由Brain Harry正式发布.这次发布包括了一系列的新特性:工程模板.Scaffolding 升级和Web工具.当你在VS 2013创建一个新工程的 ...

  2. 关于2013年1月21日的DNS故障分析文章

    首页 资讯 小组 资源 注册 登录       首页 最新文章 业界 开发 IT技术 设计 创业 IT职场 访谈 在国外 经典回顾 更多 > - 导航条 - 首页 最新文章 业界 - Googl ...

  3. 2013年新统计全国省市县以及邮政编码SQL数据脚本

    USE [imei8com] GO /****** Object: Table [dbo].[Zone] Script Date: 03/12/2014 15:05:41 ******/ SET AN ...

  4. 应用安全-软件安全-漏洞CVE整理

    jira ssrf CVE-2019-8451 url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu ...

  5. 2013 Asia Changsha Regional Contest---Josephina and RPG(DP)

    题目链接 http://acm.hdu.edu.cn/showproblem.php?pid=4800 Problem Description A role-playing game (RPG and ...

  6. SharePoint 2013: A feature with ID has already been installed in this farm

    使用Visual Studio 2013创建一个可视web 部件,当右击项目选择"部署"时报错: "Error occurred in deployment step ' ...

  7. Visual Studio 2013 添加一般应用程序(.ashx)文件到SharePoint项目

    默认,在用vs2013开发SharePoint项目时,vs没有提供一般应用程序(.ashx)的项目模板,本文解决此问题. 以管理员身份启动vs2013,创建一个"SharePoint 201 ...

  8. SharePoint 2013 create workflow by SharePoint Designer 2013

    这篇文章主要基于上一篇http://www.cnblogs.com/qindy/p/6242714.html的基础上,create a sample workflow by SharePoint De ...

  9. Install and Configure SharePoint 2013 Workflow

    这篇文章主要briefly introduce the Install and configure SharePoint 2013 Workflow. Microsoft 推出了新的Workflow ...

随机推荐

  1. 为什么tcp-wrappers被Redhat Centos Fedora废弃?

    1 简述 TCP wrappers is a simple tool to block incoming connection on application level. This was very ...

  2. Rikka with Nickname (简单题)

    Rikka with Nickname  链接:https://www.nowcoder.com/acm/contest/148/J来源:牛客网 时间限制:C/C++ 2秒,其他语言4秒空间限制:C/ ...

  3. [Java 教程 00] 计算机基础

    前言 我想,来到这的朋友肯定是想学习JAVA或者想要进入IT这个行业的.考虑到大家的基础可能不一样,有些人可能还是用着新买的电脑,为了让大家在后续的学习中更加顺畅.在学习一门全新的计算机语言之前,我需 ...

  4. js与html中unicode编码的使用

    js中 // unicode在字符串中使用格式:\u四位编码,一定是四位,否则报错 // 显示 @ 符 console.log(`十六进制 unicode 编码 0x0040 对应的字符是:${'\u ...

  5. 人生苦短_我用Python_str(字符串)_001

    # 字符串 str str_1 = 'hello,selenium,888,999' # 切片/截断 # 更换大小写 upper/lower 英文字符 print(str_1.upper()) pri ...

  6. SQL语句计算经纬度距离

    二: SQL语句计算经纬度距离 SELECT id, ( 6371* acos( cos( radians(37) ) * cos( radians( lat ) ) * cos( radians( ...

  7. CSS 布局 - Overflow

    CSS 布局 - Overflow CSS overflow 属性用于控制内容溢出元素框时显示的方式. 这里的文本内容是可以滚动的,滚动条方向是垂直方向.dd马达价格 这里的文本内容是可以滚动的,滚动 ...

  8. 关于respond.js

    作用:可以让ie8及以下支持css3的媒体查询. 有几个问题: 1.由于浏览器的安全机制,Respond.js 不能在通过 file:// 协议(打开本地HTML文件所用的协议)访问的页面上发挥正常的 ...

  9. 【Flutter学习】之Widget数据共享之InheritedWidget

    一,概述 业务开发中经常会碰到这样的情况,多个Widget需要同步同一份全局数据,比如点赞数.评论数.夜间模式等等.在安卓中,一般的实现方式是观察者模式,需要开发者自行实现并维护观察者的列表.在flu ...

  10. Kubernetes v1.16 对API的更改

    前段时间安装Kubernetes v1.16.2,然后从v1.14版本的拷贝yaml文件过来执行,很多都报没有相应的api,查看一下新版本的api admissionregistration.k8s. ...