Exploit for Ubuntu OverlayFS Privesc Vulnerability

CVE-2021-3493 is an Ubuntu-specific issue in the overlayfs file system in the Linux kernel where it did not properly validate the application of file system capabilities to use namespaces. A local attacker could use this to gain elevated privileges, due to a patch carried in Ubuntu to allow unprivileged overlayfs mounts.


Lab Setup

  • Ubuntu Machine (Affected Versions)
  • Git Tools (To clone repository)
  • GCC Compiler (To compile c file)

Implementation

  • Use the command whoami and id to check the privilege of the current user.
  • To get the exploit - Clone the repository using the below command. Ensure that git is installed in your system. If not, use the command - sudo apt-get install git.
Git Install Command
  • Once the git is installed clone the repository using the command - git clone https://github.com/briskets/CVE-2021-3493.git.
Git Clone Command
  • After cloning, the new directory named CVE-2021-3493 is created in the present directory, navigate to that directory by using the command: cd CVE-2021-3493.
Files in the repository
  • There is a file named exploit.c which is the C file. Compile it using GCC compiler. Command - gcc exploit.c.
Compiling the exploit
  • If you did not provide any output file name, a.out will be created by default.
Executable is created
  • Execute the exploit using the command ./a.out. After executing a new shell will be created. Verify the privilege using command: whoami and id.
Execute the exploit
  • We have gained the Privilege of the root user.
ROOT user
  • Now with root privileges, you have access to all commands and files on a Linux machine. Attackers can now add, delete users or change their password or do anything they want.
  • Initially, we were not able to change the password of the user1. However, after executing the exploit we gained the root user access. Now we can change the password of the user1.
Post-Exploit
We hope this helps. If any suggestions or doubts you can add a comment and we will reply as soon as possible.

No comments:

Post a Comment