Launch the virtual machine:
vagrant upTry the proof of concept:
vagrant ssh
cd /vagrant/
make
sudo su john
./pocEnable lsm_bpf mitigation:
vagrant ssh
cd /vagrant/lsm_bpf/
meson setup build
meson compile -C build/
sudo ./build/lsm_bpfThis folder contains a virtual machine and instructions to reproduce CVE-2023-0386, a vulnerability in the Linux kernel’s OverlayFS subsystem that allows an unprivileged user to escalate their privileges to root.
- Start the virtual machine (based on Ubuntu 22.04.1, kernel 5.15.0-57-generic):
vagrant up
- SSH to the machine as an unprivileged user:
vagrant ssh --command "sudo su john -c 'cd; bash'"
john@ubuntu-jammy:~$ id
uid=1002(john) gid=1002(john) groups=1002(john)- Exploit
The virtual machine is provisioned with an exploit merging the different pieces of this proof of concept repository into one single static binary. This binary creates folders tree under /tmp/ovlcap and starts FUSE filesystem which serves an suid executable. It then calls unshare with mount overlay command and copy of the lower suid executable. Finally, it runs the suid executable to spawn a root shell.
Run the following command to exploit the vulnerability and escalate to root:
./poc
Proof-of-concept: https://github.com/xkaneiki/CVE-2023-0386/ Reproduction for Datadog: Ryan Simon and Fred Baguelin