1

CVE-2021-33909 AKA "Sequoia" is a vulnerability against the filesystem code within the Linux kernel. According to the description of the vulnerability from Qualys

Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host

[...]

As a result, if an unprivileged local attacker creates, mounts, and deletes a deep directory structure whose total path length exceeds 1GB, and if the attacker open()s and read()s /proc/self/mountinfo, then

I am trying to understand how this works, because in my experience an unprivileged user cannot mount anything, unless there's a mountpoint in /etc/fstab which has the user attribute set.

Some people are talking about FUSE, but I believe even for FUSE, root access is needed to actually mount the filesystem just the filesystem code runs in user space, not kernel space. (I simply lacked the knowledge that FUSE has fusermount, oops)

I tried The POC exploit code and it does not work for me, so... What am I missing here?

Josh
  • 1,096
  • 9
  • 13

1 Answers1

2

From the advisory

1/ We mkdir() a deep directory structure (roughly 1M nested directories) whose total path length exceeds 1GB, we bind-mount it in an unprivileged user namespace, and rmdir() it.

If the system is configured as such, an unprivileged user could use namespaces to perform this attack.

Set /proc/sys/kernel/unprivileged_userns_clone to 0, to prevent an attacker from mounting a long directory in a user namespace. However, the attacker may mount a long directory via FUSE instead

Perhaps you already have this option disabled; some distros historically have shipped with it disabled. Lacking this option will prevent the PoC from working, so maybe this is why it doesn't work for you?

Even for fuse, root access is needed to actually mount the filesystem

From kernel.org:

One of the most important features of FUSE is allowing secure, non-privileged mounts

How do non-privileged mounts work? Since the mount() system call is a privileged operation, a helper program (fusermount) is needed, which is installed setuid root.

Mounting filesystems as an unprivileged user is absolutely possible with FUSE, assuming an administrator has installed the necessary helper program.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
  • That perfectly answers my question, thank you! Yes, in the systems I checked `/proc/sys/kernel/unprivileged_userns_clone` does not even exist and I clearly lack enough experience with FUSE (having used it only a handful of times) – Josh Jul 28 '21 at 23:21
  • 1
    @Josh check out `sshfs`, which uses FUSE. Very handy! – multithr3at3d Jul 30 '21 at 01:31