# CVE-2021-3493

## Theory

An **Ubuntu** specific issue in the overlayfs file system in the Linux kernel where it did not properly validate the application of file system capabilities with respect to user namespaces. A local attacker could use this to gain elevated privileges, due to a patch carried in Ubuntu to allow unprivileged overlayfs mounts.

## Practice

{% tabs %}
{% tab title="Enumerate" %}
The target system is likely to be vulnerable if it runs Ubuntu has a **kernel version lower than 5.11**.

```bash
#Get Kernel version
$ uname -r
4.15.0-76-generic
```

Affected versions are :

* Ubuntu 20.10
* Ubuntu 20.04 LTS
* Ubuntu 19.04
* Ubuntu 18.04 LTS
* Ubuntu 16.04 LTS
* Ubuntu 14.04 ESM
  {% endtab %}

{% tab title="Exploit" %}
Using [this exploit](https://github.com/briskets/CVE-2021-3493) or [this one](https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/) we can abuse CVE-2021-3493

```bash
#Compile
gcc exploit.c -o exploit

#Run it
./exploit
```

{% hint style="info" %}
If the target doesn't have gcc installed, you may need to recreate a similar virtual environement to compile the exploit.
{% endhint %}
{% endtab %}
{% endtabs %}

## Ressources

{% embed url="<https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/>" %}

{% embed url="<https://tryhackme.com/room/overlayfs>" %}