![]() ![]() We can then create a "unified" file system mount combining these directories using an OverlayFS mount: # Create mount point and empty "workdir" directory required by OverlayFS mkdir /mnt/overlay workdir We start by creating several folders, representing our different mount points, and create a directory structure inside them: mkdir base base/foo base/bar The overlay file system (often abbreviated as OverlayFS) allows a user to "merge" several mount points into a unified file system. The unprivileged user was able (by design) to escalate to root using our binary with the SUID bit set. Going back to our unprivileged user shell, let's run it again. Let's do it as a privileged user and add the SUID bit to it: chown root:root chmod +s setuid To change the ownership of the file to root, we need to be root (by design). setuidĬould not setuid(0): Operation not permitted Let's compile the binary and try to run it, as an unprivileged user: gcc -Wall setuid.c -o chmod +x. The operation will succeed only if the binary is owned by root and if the binary has the SUID bit set. This program attempts to impersonate the root user (UID 0). Let's see a quick example using the following code: # include # include # include # include # include int main ( void ) The SUID bit (for "set user ID") is a special file permission that allows a binary to impersonate the owner of the binary using the setuid system call family, instead of the user executing it. ![]() If you're already familiar with these, feel free to jump right to how the exploit works. Major Linux distributions have released dedicated security bulletins to help mitigate the vulnerability, including:īefore we examine in detail how to exploit the vulnerability, let's review two concepts: the SUID bit and the overlay file system. To remediate the vulnerability, ensure your Linux systems are running a patched kernel version. The easiest way to check whether your system is vulnerable is to see which version of the Linux kernel it uses by running the command uname -r.Ī system is likely to be vulnerable if it has a kernel version lower than 6.2.įor more precise instructions on how to check if a system is vulnerable, you can refer to the advisory specific to your Linux distribution listed in the next section. This vulnerability exclusively affects Linux-based systems. As of May 10, 2023, there has been no observed exploitation in the wild, but due to the existence of open source PoCs, we recommend prioritizing patching. The vulnerability, dubbed CVE-2023-0386, is trivial to exploit and applicable to a wide-ranging set of popular Linux distributions and kernel versions. May 4, 2023: Proof-of-concept (PoC) exploits appear on GitHub.March 22, 2023: Vulnerability is publicly disclosed on the NIST NVD as CVE-2023-0386.January 27, 2023: Vulnerability is patched on the Linux source tree.It is a local privilege escalation vulnerability, allowing an unprivileged user to escalate their privileges to the root user. On March 22, 2023, a vulnerability in the Linux kernel was publicly disclosed. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |