GameOverlayFs

CVE-2023-2640 & CVE-2023-32629

Theory

CVE-2023-2640 and CVE-2023-32629 were found in the OverlayFS module in Ubuntu, which is a widely used Linux filesystem that became highly popular with the rise of containers as its features enable the deployment of dynamic filesystems based on pre-built images. The two vulnerabilities are exclusive to Ubuntu because Ubuntu introduced several changes to the OverlayFS module in 2018.

These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine. Linux has a feature called "file capabilities" that grants elevated privileges to executables while they're executed. This feature is reserved for the root user, while lower-privileged users cannot create such files. However, we discovered that it's possible to craft an executable file with “scoped” file capabilities and trick the Ubuntu kernel into copying it to a different location with “unscoped” capabilities, granting anyone who executes it root-like privileges.

Practice

The target system is likely to be vulnerable if its an Ubuntu and has a kernel version lower than 6.2 and greater than 5.15.

#Get Kernel version
$ uname -r
5.15.70-051570-generic

Following versions are vulnerable (marked with a ✔):

Release

Version

CVE-2023-2640

CVE-2023-32629

Ubuntu 23.04 (Lunar Lobster)

6.2.0

✔

Ubuntu 22.10 (Kinetic Kudu)

5.19.0

✔

Ubuntu 22.04 LTS (Jammy Jellyfish)

5.19.0

✔

6.2.0

✔

5.15.0

✘

Ubuntu 20.04 LTS (Focal Fossa)

5.15.0

✘

5.4.0

✘

✔

Ubuntu 18.04 LTS (Bionic Beaver)

5.4.0

✘

✔

Using this exploit from luanoliveira350, we can abuse GameoverlayFS

# Just run it !
chmod +x gameoverlay.sh
./gameoverlay.sh

Don't forget to edit the command you want to run in the gameoverlay.sh script.

Resources

GameOverlay Vulnerability Impacts 40% of Ubuntu Workloads | Wiz Blogwiz.io

Last updated 2 years ago

hashtagTheory

hashtagPractice

hashtagResources

Theory

Practice

Resources