hellok · December 15, 2015 03:19
diff --git a/gistfile1.txt b/gistfile1.txt
 http://stealth.openwall.net/xSports/clown-newuser.c
 http://www.openwall.com/lists/oss-security/2013/03/13/8
 Seems like CLONE_NEWUSER|CLONE_FS might be a forbidden
 combination.
 During evaluating the new user namespace thingie, it turned out
 that its trivially exploitable to get a (real) uid 0,
 as demonstrated here:

 The trick is to setup a chroot in your CLONE_NEWUSER,
 but also affecting the parent, which is running
 in the init_user_ns, but with the chroot shared.
 Then its trivial to get a rootshell from that.

 Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).

 I hope I didnt make anything wrong, mixing up the UIDs,
 or disabled important checks during kernel build on my test
 system. ;)


 http://cdimage.kali.org/
 http://www.kali.org/news/kali-linux-whats-new/
	http://stealth.openwall.net/xSports/clown-newuser.c
	http://www.openwall.com/lists/oss-security/2013/03/13/8
	Seems like CLONE_NEWUSER\|CLONE_FS might be a forbidden
	combination.
	During evaluating the new user namespace thingie, it turned out
	that its trivially exploitable to get a (real) uid 0,
	as demonstrated here:

	The trick is to setup a chroot in your CLONE_NEWUSER,
	but also affecting the parent, which is running
	in the init_user_ns, but with the chroot shared.
	Then its trivial to get a rootshell from that.

	Tested on a openSUSE12.1 with a custom build 3.8.2 (x86_64).

	I hope I didnt make anything wrong, mixing up the UIDs,
	or disabled important checks during kernel build on my test
	system. ;)


	http://cdimage.kali.org/
	http://www.kali.org/news/kali-linux-whats-new/