Project Sekai
🔒 UIUCTF 2023 / ✅-pwn-zapping-a-setuid-2
$ socat file:$(tty),raw,echo=0 tcp:zapp-setuid-2.chal.uiuc.tf:1337
Handout: Same as Zapping a Setuid 1
author: YiFei Zhu
Files: No files.
Tags: systems, extreme
From 7d26a340113813b6f9064b25f2928c177269d2f5 Mon Sep 17 00:00:00 2001
From: YiFei Zhu <zhuyifei@google.com>
Date: Mon, 19 Jun 2023 22:26:16 -0700
Subject: [PATCH] fs/namespace: Allow generic loopback mount without requiring
nsfs
The argument was flawed and was never agreed upon [1].
After 18 years, what could possibly go wrong?
[1] https://lore.kernel.org/all/1131563299.5400.392.camel@localhost/T/#t
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
---
fs/namespace.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index 4f520f800dbc..eb196f016e3f 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2396,9 +2396,6 @@ static struct mount *__do_loopback(struct path *old_path, int recurse)
if (IS_MNT_UNBINDABLE(old))
return mnt;
- if (!check_mnt(old) && old_path->dentry->d_op != &ns_dentry_operations)
- return mnt;
-
if (!recurse && has_locked_children(old, old_path->dentry))
return mnt;
--
2.41.0From 9946c9e1e098884064df8a394a6ef992c94d21e6 Mon Sep 17 00:00:00 2001
From: YiFei Zhu <zhuyifei@google.com>
Date: Mon, 19 Jun 2023 21:39:32 -0700
Subject: [PATCH] fs/namespace: Allow unpriv OPEN_TREE_CLONE
OPEN_TREE_CLONE is only really useful when you could use move_mount()
to perform a bind mount. Otherwise all you get is an fd equivalent to
an O_PATH'ed fd that is detached, without a way to modify any
mountpoints of the current namespace.
What could possibly go wrong?
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
---
fs/namespace.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index df137ba19d37..4f520f800dbc 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -2527,9 +2527,6 @@ SYSCALL_DEFINE3(open_tree, int, dfd, const char __user *, filename, unsigned, fl
if (flags & AT_EMPTY_PATH)
lookup_flags |= LOOKUP_EMPTY;
- if (detached && !may_mount())
- return -EPERM;
-
fd = get_unused_fd_flags(flags & O_CLOEXEC);
if (fd < 0)
return fd;
--
2.41.0From 7bba6f2216c5b757e38cd90f7b12bdf952e316c7 Mon Sep 17 00:00:00 2001
From: YiFei Zhu <zhuyifei@google.com>
Date: Mon, 19 Jun 2023 23:04:25 -0700
Subject: [PATCH] fs/namespace: Check userns instead of mntns in mnt_may_suid
If we are in the same userns, I don't see why we need to check
if we are in the same mntns too, right?
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
---
fs/namespace.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/namespace.c b/fs/namespace.c
index eb196f016e3f..25757327a82a 100644
--- a/fs/namespace.c
+++ b/fs/namespace.c
@@ -4609,7 +4609,8 @@ bool mnt_may_suid(struct vfsmount *mnt)
* suid/sgid bits, file caps, or security labels that originate
* in other namespaces.
*/
- return !(mnt->mnt_flags & MNT_NOSUID) && check_mnt(real_mount(mnt)) &&
+ return !(mnt->mnt_flags & MNT_NOSUID) &&
+ current_in_userns(real_mount(mnt)->mnt_ns->user_ns) &&
current_in_userns(mnt->mnt_sb->s_user_ns);
}
--
2.41.0mnt_may_suid check