Vigil@nce - Linux kernel: read-write access via fsuid
November 2014 by Marc Jacob
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can bypass access restrictions via a namespace on the
Linux kernel, in order to read or alter files.
Impacted products: Linux
Severity: 1/4
Creation date: 18/11/2014
DESCRIPTION OF THE VULNERABILITY
User Namespaces are used to partition users.
A file can have an ACL forbidding supplementary groups of a user,
but allowing the "other" group.
An attacker can remap his fsuid/fsgid on a new namespace, and
remove his supplementary groups. However, in this case, he belongs
to the "other" group, so he can bypass access restrictions to
files with this ACL.
An attacker can therefore bypass access restrictions via a
namespace on the Linux kernel, in order to read or alter files.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Linux-kernel-read-write-access-via-fsuid-15659