[eyalm]

Bottom line - locally exploitable vulnerability in the linux kernel, in case you have the CAP_NET_RAW capability which never really happens. Not a real security threat for your standard linux distro.

On the other hand, this is a great technical write-up that describes thoroughly the internals of some of the linux kernel subsystems. Probably the best documentation you can find for some subsystems. Also shows how they bypassed exploit mitigations technics such as KASLR, SMAP&SMEP.

[dohqu8Zi]

No.

Create a new user namespace and you have CAP_NET_RAW within your shiny new namespace.

[ploxiln]

Right, but "unprivileged user namespaces" are disabled in many contexts, because they've been a source of many vulnerabilities due to code originally thought to only be reachable by root anyway.

Archlinux has user namespaces disabled, docker does not use them by default and does not allow them inside containers by default, on Ubuntu I make sure to disable kernel.unprivileged_userns_clone on all the servers I deploy to, etc.

[glandium]

But you need capabilities to create that new user namespace (CAP_SYS_ADMIN, I think)

[scarybeast]

No. It's exploitable by a normal unprivileged user on modern Ubuntu. From the article, "Let’s see how we can exploit this vulnerability. I’m going to be targeting x86-64 Ubuntu 16.04.2 with 4.8.0-41-generic kernel version with KASLR, SMEP and SMAP enabled. Ubuntu kernel has user namespaces available to unprivileged users (CONFIG_USER_NS=y and no restrictions on it’s usage), so the bug can be exploited to gain root privileges by an unprivileged user."

[d33]

That's pretty interesting. Does it mean it allows escaping Docker containers if you compromise a service ran as root in it?

[user5994461]

As a rule of Thumb, an attack can ALWAYS escape from Docker containers.

These containers are a light way to separate processes. They are not intended as a security measure to isolate malicious processes that tries to escape.

[dohqu8Zi]

No, Docker usually drops CAP_NET_RAW within the container. But you can change that and other container technologies definitely keep CAP_NET_RAW within the container.

[wrongmmmm]

Not true. CAP_NET_RAW is on by default: https://github.com/moby/moby/blob/master/oci/defaults_linux....

Otherwise no one could ping from a container.

[dohqu8Zi]

Thanks for the correction.

[dohqu8Zi]

BTW: Depending on the configuration you can create a new namespace within Docker to gain CAP_NET_RAW since namespaces can nest.

[caf]

You also need to create a network namespace, because to create an AF_PACKET socket you need to have CAP_NET_RAW in the user namespace that owns your network namespace, not the user namespace you're in.