Full Report
Sagitz read about a Linux kernel privilege escalation labeled CVE-2023-0386. The vulnerability exploited an OverlayFS where SUID files from a nosuid mount could be copied to outside directories. By doing this, escalating to root is trivial. To mitigate this problem, a check was made to verify that the owner of the modified file is present in the current user namespace. This solves the SUID exploit since SUIDs must be owned by root to be effective. Where this is one bug, there are may be several variants of this issue. The people thought "Is there any other way to elevate privileges?" There are also file capabilities; these are a way to grant root-like capabilities to a file without needing it to be owned by root. By using file capabilities, the same exploit method can be used instead of SUID binaries. The exploit only worked on one of the authors systems, but why? They decided to reverse their search: are there any places where file capabilities are copied without conversion? By using this approach, they found a variant of this issue in another place. The vulnerability is so easy to exploit it can be done with a bash script. For more on these bugs, read here. The mindset of going from old CVE to new bug to another new bug was awesome to see. Really good commentary of how hackers find vulnerabilities and how to use other research to propel yourself.
Analysis Summary
# Vulnerability: GameOverlay - Linux Kernel OverlayFS Privilege Escalation
## CVE Details
- **CVE ID:** CVE-2023-2640 and CVE-2023-32629 (Related to CVE-2023-0386)
- **CVSS Score:** 7.8 (High)
- **CWE:** CWE-284 (Improper Access Control) / CWE-269 (Improper Privilege Management)
## Affected Systems
- **Products:** Ubuntu Linux Kernel
- **Versions:**
- CVE-2023-2640: Ubuntu kernels since 2018 (specifically 5.x and 6.x branches).
- CVE-2023-32629: Ubuntu kernels since 2019 (specifically 5.4.x).
- **Configurations:** Systems utilizing OverlayFS where unprivileged user namespaces are enabled (default in Ubuntu).
## Vulnerability Description
These vulnerabilities are variants of the original CVE-2023-0386 flaw. The core issue lies in how the Linux Kernel's **OverlayFS** module handles extended attributes (xattrs), specifically file capabilities.
When a file is moved from a "lower" directory to an "upper" directory in an OverlayFS mount, the kernel is supposed to check if the user has the appropriate permissions to preserve sensitive metadata. Ubuntu's specific modifications to the kernel (intended for performance optimization) allowed the copying of file capabilities (setcap) from a `nosuid` mount to a location where those capabilities could be executed. Because these capabilities were copied without proper namespace verification, an unprivileged user could create a file with elevated capabilities (like `cap_setuid`), leading to instant root access.
## Exploitation
- **Status:** PoC available and widely discussed; historically exploited in the wild via research demonstration.
- **Complexity:** Low (Can be executed via a simple Bash script).
- **Attack Vector:** Local (Requires local shell access to the system).
## Impact
- **Confidentiality:** Total (Full system access)
- **Integrity:** Total (Ability to modify any file on the system)
- **Availability:** Total (Ability to crash or wipe the system)
## Remediation
### Patches
- **Ubuntu Kernel Updates:** Patches were released in July 2023. Users should update to the latest kernel version provided by `apt upgrade`.
- **Upstream Fix:** These issues were specific to Ubuntu's custom patches to OverlayFS; ensure you are using the official security-patched versions of the Ubuntu kernel.
### Workarounds
- **Disable Unprivileged User Namespaces:** This significantly reduces the attack surface for OverlayFS exploits.
- `sysctl -w kernel.unprivileged_userns_clone=0`
- **Restrict OverlayFS:** Limit the ability of unprivileged users to create OverlayFS mounts using security modules like AppArmor or SELinux.
## Detection
- **Indicators of Compromise:**
- Presence of unusual SUID binaries or files with unexpected file capabilities in the `/tmp` or `/var/tmp` directories.
- Audit logs showing `mount` syscalls involving OverlayFS by non-root users.
- **Detection methods and tools:**
- Use `getcap -r /` to scan for files with unexpected capabilities.
- Security monitoring tools (EDR) should flag unprivileged mounting of OverlayFS.
## References
- **Wiz Research Blog:** hxxps[://]www[.]wiz[.]io/blog/ubuntu-overlayfs-vulnerability
- **Ubuntu Security Advisory:** hxxps[://]ubuntu[.]com/security/notices/USN-6250-1
- **Sagitz Technical Thread:** hxxps[://]x[.]com/sagitz_/status/1684651555079766016
- **CVE Project:** hxxps[://]cve[.]mitre[.]org/cgi-bin/cvename[.]cgi?name=CVE-2023-2640