Exploit for Ubuntu OverlayFS Privesc Vulnerability

CVE-2021-3493 is an Ubuntu-specific issue in the overlayfs file system in the Linux kernel where it did not properly validate the application of file system capabilities to use namespaces. A local attacker could use this to gain elevated privileges, due to a patch carried in Ubuntu to allow unprivileged overlayfs mounts.

Lab Setup

Ubuntu Machine (Affected Versions)
Git Tools (To clone repository)
GCC Compiler (To compile c file)

Implementation

Use the command whoami and id to check the privilege of the current user.

To get the exploit - Clone the repository using the below command. Ensure that git is installed in your system. If not, use the command - sudo apt-get install git.

Git Install Command

Once the git is installed clone the repository using the command - git clone https://github.com/briskets/CVE-2021-3493.git.

Git Clone Command

After cloning, the new directory named CVE-2021-3493 is created in the present directory, navigate to that directory by using the command: cd CVE-2021-3493.

Files in the repository

There is a file named exploit.c which is the C file. Compile it using GCC compiler. Command - gcc exploit.c.

Compiling the exploit

If you did not provide any output file name, a.out will be created by default.

Executable is created

Execute the exploit using the command ./a.out. After executing a new shell will be created. Verify the privilege using command: whoami and id.

Execute the exploit

We have gained the Privilege of the root user.

ROOT user

Now with root privileges, you have access to all commands and files on a Linux machine. Attackers can now add, delete users or change their password or do anything they want.
Initially, we were not able to change the password of the user1. However, after executing the exploit we gained the root user access. Now we can change the password of the user1.