CLONE_NEWUSER trickery: CVE-2013-1858

 
Recent kernels (3.8+ something) introduced a feature called
user-namespaces (user-ns, CLONE_NEWUSER flag)
in which you can have your own UID 0.
Think of it as a container solution, so you can
set up compartments on a host. A nice thing,
but it has some security implications. In particular
if you mix this feature with CLONE_FS, which means
that the file-system state is shared between the
containers (e.g. processes). You suddenly get this:

The problem here is that parent and child share the
FS info (the chroot in this case), but only the child
has got its own user-ns. Since it has the
capability to do the chroot() in its own user-ns,
it will succeed doing the chroot() syscall but due to
CLONE_FS, it will also affect the parent.
Parent however stays in the init user-ns (the user-ns
that is default upon boot and the namespace where you
want to have root).
Getting a rootshell from inside a user controlled chroot
with help from outside processes is straight forward.

The xSports can be found here.

Update:
A CVE has been assigned (CVE-2013-1858) and a patch was made.

[FW]CLONE_NEWUSER trickery: CVE-2013-1858的更多相关文章

  1. Visual Studio 2013 和 ASP.NET 预览

    VS 2013预览版在2013的TechEd大会由Brain Harry正式发布.这次发布包括了一系列的新特性:工程模板.Scaffolding 升级和Web工具.当你在VS 2013创建一个新工程的 ...

  2. 关于2013年1月21日的DNS故障分析文章

    首页 资讯 小组 资源 注册 登录       首页 最新文章 业界 开发 IT技术 设计 创业 IT职场 访谈 在国外 经典回顾 更多 > - 导航条 - 首页 最新文章 业界 - Googl ...

  3. 2013年新统计全国省市县以及邮政编码SQL数据脚本

    USE [imei8com] GO /****** Object: Table [dbo].[Zone] Script Date: 03/12/2014 15:05:41 ******/ SET AN ...

  4. 应用安全-软件安全-漏洞CVE整理

    jira ssrf CVE-2019-8451 url = url + '/plugins/servlet/gadgets/makeRequest?url=' + host + '@www.baidu ...

  5. 2013 Asia Changsha Regional Contest---Josephina and RPG(DP)

    题目链接 http://acm.hdu.edu.cn/showproblem.php?pid=4800 Problem Description A role-playing game (RPG and ...

  6. SharePoint 2013: A feature with ID has already been installed in this farm

    使用Visual Studio 2013创建一个可视web 部件,当右击项目选择"部署"时报错: "Error occurred in deployment step ' ...

  7. Visual Studio 2013 添加一般应用程序(.ashx)文件到SharePoint项目

    默认,在用vs2013开发SharePoint项目时,vs没有提供一般应用程序(.ashx)的项目模板,本文解决此问题. 以管理员身份启动vs2013,创建一个"SharePoint 201 ...

  8. SharePoint 2013 create workflow by SharePoint Designer 2013

    这篇文章主要基于上一篇http://www.cnblogs.com/qindy/p/6242714.html的基础上,create a sample workflow by SharePoint De ...

  9. Install and Configure SharePoint 2013 Workflow

    这篇文章主要briefly introduce the Install and configure SharePoint 2013 Workflow. Microsoft 推出了新的Workflow ...

随机推荐

  1. 深度学习大规模MIMO中的功率分配

    摘要-本文使用深度学习的方法在大规模MIMO网络的下行链路中执行max-min和max-prod功率分配.更确切地说,与传统的面向优化的方法相比,训练深度神经网络来学习用户设备(UE)的位置和最优功率 ...

  2. Base64加密工具

    正常来讲加密基本上永远都要伴随着解密,所谓的加密或者解密,往往都需要有一些规则,在JDK1.8开始,提供有新的加密处理操作类,Base64处理类--Base64类 在该类之中存在两个内部类:Base6 ...

  3. 【Mock.js】前端模拟假数据,不用在手拼了

    [Mock.js]前端模拟假数据,不用在手拼了:https://www.jianshu.com/p/8579b703a4c1

  4. Educational Codeforces Round 33 D. Credit Card

    Credit Card time limit per test2 seconds memory limit per test256 megabytes Recenlty Luba got a cred ...

  5. 详细介绍如何计算两条折线的交点并使用Echarts展示以及图表优化

    1.背景 前段时间公司有个需求,需要在一个图表中展示两条折线,并且绘制出两条线的交点.为了满足需求大哥的需求,我也是着实想了有一会.下面我就把具体的实现过程给大家展示一下. 1.1.ECharts 简 ...

  6. How can I check the last time stats was run on Oracle without using OEM

    All of the following data dictionary tables have a LAST_ANALYZED column (replace * with USER/ALL/DBA ...

  7. java--字符串拼接比较

    /** * 字符串拼接 */ public class StringAddDemo { public static void main(String[] args){ testStringAdd(); ...

  8. maven打包出现 Error assembling JAR: java.lang.reflect.InvocationTargetException

    如果项目的包名使用中文,会反射找不到,idea设置Editor->File Encodings 改utf-8试试

  9. jstat详解

    jstat 1. jstat -gc pid 可以显示gc的信息,查看gc的次数,及时间. 其中最后五项,分别是young gc的次数,young gc的时间,full gc的次数,full gc的时 ...

  10. SQL语句之-函数

    六.函数 1.文本处理函数 2.日期和时间处理函数 MySQL数据库:SELECT * FROM orders WHERE YEAR(order_date)=2012  七.汇总数据 1.AVG()函 ...