OSS-SEC: Three bypasses of Ubuntu's unprivileged user namespace restrictions
a year ago
- #Ubuntu
- #Security
- #Kernel
- Ubuntu 23.10 introduced unprivileged user namespace restrictions, enabled by default in Ubuntu 24.04, to limit kernel attack surfaces.
- Three bypass methods were discovered allowing unprivileged users to create user namespaces with full administrator capabilities:
- 1. Using aa-exec to transition to pre-configured AppArmor profiles (e.g., chrome, flatpak, trinity) that allow user namespace creation with full capabilities.
- 2. Executing a busybox shell, which has a pre-configured AppArmor profile permitting user namespace creation with full capabilities.
- 3. Using LD_PRELOAD to inject a shell into programs like nautilus, whose AppArmor profiles allow user namespace creation with full capabilities.
- These bypasses enable exploitation of kernel vulnerabilities requiring capabilities like CAP_SYS_ADMIN or CAP_NET_ADMIN within the namespace.
- Ubuntu's security measures aim to prevent abuse of unprivileged user namespaces, but these bypasses highlight potential vulnerabilities.
- The advisory includes a timeline of discovery and coordination with the Ubuntu Security Team, leading to a coordinated release.