diff options
Diffstat (limited to 'results/scraper/launchpad-without-comments/807893')
| -rw-r--r-- | results/scraper/launchpad-without-comments/807893 | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/results/scraper/launchpad-without-comments/807893 b/results/scraper/launchpad-without-comments/807893 new file mode 100644 index 000000000..7ec4c024a --- /dev/null +++ b/results/scraper/launchpad-without-comments/807893 @@ -0,0 +1,31 @@ +qemu privilege escalation + +If qemu is started as root, with -runas, the extra groups is not dropped correctly + +/proc/`pidof qemu`/status +.. +Uid: 100 100 100 100 +Gid: 100 100 100 100 +FDSize: 32 +Groups: 0 1 2 3 4 6 10 11 26 27 +... + +The fix is to add initgroups() or setgroups(1, [gid]) where appropriate to os-posix.c. + +The extra gid's allow read or write access to other files (such as /dev etc). + +Emulating the qemu code: + +# python +... +>>> import os +>>> os.setgid(100) +>>> os.setuid(100) +>>> os.execve("/bin/sh", [ "/bin/sh" ], os.environ) +sh-4.1$ xxd /dev/sda | head -n2 +0000000: eb48 9000 0000 0000 0000 0000 0000 0000 .H.............. +0000010: 0000 0000 0000 0000 0000 0000 0000 0000 ................ +sh-4.1$ ls -l /dev/sda +brw-rw---- 1 root disk 8, 0 Jul 8 11:54 /dev/sda +sh-4.1$ id +uid=100(qemu00) gid=100(users) groups=100(users),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),26(tape),27(video) \ No newline at end of file |