Screenshots from the blog posts
PoC video
Summary
A Linux kernel bug in overlayfs can lead to a dangerous root privilege escalation. Overlayfs combines two layers, upper and lower, in a filesystem. Changes to lower-layer files are reflected in the upper layer, but things get tricky when upper and lower directories are in different user namespaces. By creating a lower directory in their user namespace, an attacker with fake root privileges can make a root-owned setuid binary. When this binary is copied into a world-writable directory like /tmp, it becomes a real root-owned setuid binary. This opens a pathway for running attacker-controlled code as the root user, posing a significant security risk.
Description
Introduction:
OverlayFS Overview:
OverlayFS is a union filesystem used in Linux that allows the merging of two directory structures into a single view, with one directory acting as the upper layer and another as the lower layer. The upper layer typically contains modifications and additions, while the lower layer is usually read-only and serves as a base. This is commonly used in containerization and overlaying changes on top of a base filesystem.
User Namespaces:
User namespaces are a feature of the Linux kernel that allows for the isolation of user and group IDs between different processes. This is useful in containerization and security contexts, as it enables processes to have different views of users and groups, even when they share the same kernel.
The Vulnerability:
The vulnerability in OverlayFS arises when different user namespaces are involved, and it can lead to privilege escalation.
1. User Namespace Creation:
An attacker starts by creating a user namespace. Within their user namespace, they have fake root privileges. This means that within their namespace, they can act as if they are the root user, even though they don’t have true root privileges in the global system.
2. Creation of Lower Directory:
Within their user namespace, the attacker creates a lower directory in the OverlayFS. This directory is part of the lower layer of the filesystem.
3. Setuid Binary Creation:
Inside the lower directory, the attacker creates a root-owned setuid binary. A setuid binary is a binary that, when executed, runs with the permissions of its owner, which in this case is the root user.
4. Copy-Up Process:
OverlayFS is designed to keep the upper layer and lower layer in sync. When changes are made to a file in the lower layer, OverlayFS will attempt to copy those changes to the upper layer, creating a copy in the upper layer. In this scenario, the setuid binary created by the attacker is copied up to the upper layer.
5. Upper Layer Destination:
The upper layer can be a directory accessible to other users, like /tmp, which is often world-writable. Since the copy-up process doesn't consider the user namespace, the setuid binary is copied into the upper layer, and it retains its root ownership.
6. Privilege Escalation:
Now, the attacker has effectively placed a root-owned setuid binary in the upper layer. When they execute this binary, it runs with root privileges, effectively granting the attacker full control over the system as the root user.
LAB SETUP:
For Lab setup we follow the steps mentioned below.
- Creating a virtual machine (VM) with a specific, older version of Ubuntu (in this case, Ubuntu 22.04) that is vulnerable to the CVE.
- all you need to do is install older version of ubuntu by downloding it from (https://old-releases.ubuntu.com/releases/)
- Disabling the download updates during the installation to prevent automatic updates.
- Installing the required libraries, including GCC, CMake, and FUSE, on the VM.
# To install Install GCC, CMake, FUSE, libfuse-dev, and libcap-dev
sudo apt-get update
sudo apt-get install -y gcc cmake fuse libfuse-dev libcap-dev
# To Check the installed versions
gcc --version- Testing the vulnerability by compiling and running a specific C file to gain root access.
- for this part we are using a pre-relesed PoC (https://github.com/sxlmnwb/CVE-2023-0386)
PoC Discription:
The CVE-2023–0386 vulnerability leverages the behavior of OverlayFS to gain elevated privileges by manipulating the file system. Here’s how the exploit works in detail:
1. Vulnerability Overview:
- The vulnerability exists in the way the kernel copies files from the lower layers to the upper layer of an OverlayFS. Specifically, it involves a race condition during the copy operation.
2. Exploit Preparation:
- The attacker sets up an environment with two OverlayFS directories: “lower” (base) and “upper.”
mkdir base base/foo base/bar
mkdir upper3. Exploit Steps:
- The attacker creates a symbolic link (`symlink`) inside the “lower” directory that points to a sensitive system file, such as the /etc/shadow file.
ln -s /etc/shadow base/foo/shadow_symlink- This symlink in the "lower" directory points to a critical file in the base system.
4. Race Condition Exploitation:
- The attacker initiates a race condition by creating the symlink in the "lower" directory and concurrently triggering the copy operation by the kernel.
- The kernel starts copying the symlink from the lower layer to the upper layer.
- At the same time, the attacker changes the target of the symlink to a file they want to modify, for example, the /etc/passwd file.
ln -sf /etc/passwd base/foo/shadow_symlink- The kernel successfully copies the symlink to the upper layer but inadvertently points to the /etc/passwd file instead of /etc/shadow.
5. Privilege Escalation:
- Since the /etc/passwd file is now accessible in the upper layer, the attacker can modify it, add a new user with root privileges, or alter existing user credentials.
6. Cleanup:
- The attacker can clean up any remaining traces in the OverlayFS and exit.
This exploit demonstrates how the vulnerability allows an attacker to manipulate OverlayFS to gain unauthorized access and escalate privileges on the system by making the kernel copy a sensitive file from the lower directory to the upper directory during the race condition.
Testing Vuln.
Testing this vulnerablity is simple all you need to do is open 2 terminals simaltinously side by side.
promote yourself as root.
git clone the file from github using
git clone https://github.com/sxlmnwb/CVE-2023-0386.git
now use make all command to make a file.
once done in 1st terminal write ./fuse ./ovlcap/lower ./gc
in another terminal type ./exp
THE PATCH ANALYSIS :
The provided code snippet is the patch that fixes the vulnerability in the OverlayFS implementation within the Linux kernel.
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 140f2742074d4e..c14e90764e3565 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -1011,6 +1011,10 @@ static int ovl_copy_up_one(struct dentry parent, struct dentry dentry,
if (err)
return err;
+ if (!kuid_has_mapping(current_user_ns(), ctx.stat.uid) ||
+ !kgid_has_mapping(current_user_ns(), ctx.stat.gid))
+ return -EOVERFLOW;
+
ctx.metacopy = ovl_need_meta_copy_up(dentry, ctx.stat.mode, flags);
if (parent) {Patch Analysis:
1. The patch affects the copy_up.c file in the OverlayFS module, specifically in the ovl_copy_up_one function, which is responsible for copying files in the OverlayFS.
2. The added lines of code introduce a critical security check using the kuid_has_mapping and kgid_has_mapping functions to verify whether the UID (User ID) and GID (Group ID) of the file being copied have a mapping within the user namespace (as specified by current_user_ns()).
3. The ctx.stat.uid and ctx.stat.gid represent the UID and GID of the file that is being copied, respectively.
4. If the UID or GID of the file being copied is not mapped within the user namespace, the patch returns an error code of -EOVERFLOW.
5. This check is a crucial security enhancement. It ensures that when a file is being copied, the UID and GID are properly mapped within the user namespace, preventing unauthorized UID and GID manipulation.
6. The ctx.metacopy variable is set based on this check to determine whether a meta copy operation is needed.
The vulnerability is patched by introducing these additional security checks. It ensures that any attempts to copy files within the OverlayFS will only be allowed if the UID and GID are appropriately mapped within the user namespace. If they are not mapped, the copy operation will be aborted, preventing potential exploits.
In your provided examples, you demonstrated how user namespaces can be configured to create mapping relationships between UIDs and GIDs inside and outside of the namespace, which is an important aspect of how this patch works.
PATCH DIFFING:
let’s dive into more detail about the patch and its significance in fixing the vulnerability in the OverlayFS module of the Linux kernel:
1. The Vulnerable Code Path:
The vulnerable code path involves copying a file within an OverlayFS mount. This copy operation is critical because it can be exploited to create a SetUID binary. The exploit relies on the kernel’s inability to properly check if the UID (User ID) and GID (Group ID) are mapped within the user namespace.
2. The Patch:
The patch, which is the code snippet you provided, is introduced in the copy_up.c file of the OverlayFS module. It specifically targets the ovl_copy_up_one function, which is responsible for copying files within OverlayFS. Here's a breakdown of the patch:
- kuid_has_mapping and kgid_has_mapping: These functions are used to check if the UID and GID of the file being copied are mapped within the user namespace. If they are not, it indicates that the UID and GID are not properly configured within the user namespace.
- ctx.stat.uid and ctx.stat.gid: These variables store the UID and GID of the file being copied.
- -EOVERFLOW Return: If either the UID or GID is not mapped within the user namespace, the patch returns an error code of -EOVERFLOW. This prevents the file copy operation, effectively fixing the vulnerability.
3. User Namespace Mapping: The patch relies on the concept of user namespaces, which is a Linux feature that allows the creation of isolated namespaces for user IDs and group IDs. In your provided example, you illustrated how a new user namespace is created and how UID 0 (root) in this user namespace corresponds to UID 1002 (john) outside of the user namespace. This mapping is crucial for the security check introduced by the patch.
4. Detection and Prevention: The patch provides both detection and prevention. It helps detect unauthorized file copy operations by checking the UID and GID mappings and prevents such operations from completing, thus preventing privilege escalation.
5. Security Significance: This patch is of paramount importance for security. It fixes a vulnerability that could have allowed an attacker to gain unauthorized root privileges by exploiting OverlayFS and user namespace interactions. By ensuring that the UID and GID of files are correctly mapped, the patch closes off this avenue for privilege escalation.
DETACTION:
Detection of an exploit that leverages the vulnerability described in CVE-2023–0386 is crucial for maintaining system security. The provided strategies and audit rules can be effective in identifying and mitigating such attacks. Here’s a breakdown of these detection opportunities:
1. SUID Binary Creation in World-Writable Folder Detection:
- This method aims to detect the creation of a SUID binary owned by root within a world-writable directory, such as /tmp. A SUID binary allows a user to execute a file with the privileges of the file's owner.
2. SUID Binary Execution by Non-Root User Detection:
- Detection is triggered when a SUID binary owned by root is executed by a non-root user, and the associated process has an effective UID (euid) of 0, meaning it successfully executed setuid(0) to escalate privileges.
3. Recently Modified SUID Binary Execution Detection:
- This approach detects when a SUID binary that has been recently modified on the file system is executed. The idea is that an attacker may have tampered with the SUID binary just before running it.
4. Auditd Rules for Detection:
- The provided audit rules for auditd (the Linux Audit Daemon) can help detect suspicious activities:
- Rule 1: Monitors
/tmp/CVE-2023-0386directory for any changes (writes) and records them. - Rule 2: Monitors any file or directory creation within
/tmpfor stat operations (checking file status) with a specific key. - Rule 3: Monitors the execution of binaries within
/tmpand checks if the effective UID (euid) is 0 (root). This rule helps detect the execution of SUID binaries. - Rule 4: Similar to Rule 3 but for effective GID (egid) equal to 0.
5. Post-Exploit Forensics:
- After the exploit has been triggered, you can search the file system for unusual SUID binaries. In this case, you can use the find command to look for files with the SUID bit set.
CONCLUSION:
In conclusion, the Linux kernel bug in overlayfs represents a critical security vulnerability that can lead to a dangerous root privilege escalation. The overlayfs technology, which allows for two-layer filesystems with upper and lower directories, becomes problematic when those directories are associated with different user namespaces. Exploiting this bug, an attacker with fake root privileges can craft a root-owned setuid binary in their user namespace. By triggering the copy of this binary into a world-writable directory, such as /tmp, it transforms into a genuine root-owned setuid binary. This scenario creates an alarming avenue for executing attacker-controlled code as the root user, underscoring the need for swift attention and resolution to safeguard the integrity and security of the Linux kernel and the systems it supports.
