leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Phase 7: overlayfs CVE-2021-3493 module (Ubuntu userns LPE) — detect-only

Browse Source 
10th module. Ubuntu-specific userns + overlayfs LPE that injects file
capabilities cross-namespace.

- modules/overlayfs_cve_2021_3493/iamroot_modules.{c,h}:
  - is_ubuntu() — parses /etc/os-release for ID=ubuntu or
    ID_LIKE=ubuntu. Non-Ubuntu hosts get IAMROOT_OK immediately (the
    bug is specific to Ubuntu's modified overlayfs).
  - unprivileged_userns_clone gate — sysctl=0 → PRECOND_FAIL
  - Active probe (--active): forks a child that enters userns +
    mountns and attempts the overlayfs mount inside /tmp. Mount
    success on Ubuntu = VULNERABLE. Mount denied = patched / AppArmor
    block. Child-isolated so parent's namespace state is untouched.
  - Version fallback: kernel < 5.13 = vulnerable-by-inference for
    Ubuntu kernels; recommend --active for confirmation.
  - Exploit: detect-only stub. Reference vsh's exploit-cve-2021-3493
    for full version (mount overlayfs in userns, drop binary with
    cap_setuid+ep into upper layer, re-exec outside ns).
  - Embedded auditd rules: mount(overlay) syscall + security.capability
    xattr writes (the exploit's two-step footprint).

Verified end-to-end on kctf-mgr (Debian):
  iamroot --scan → 'not Ubuntu — bug is Ubuntu-specific' → IAMROOT_OK

Module count: 10. Active-probe pattern now applies to dirty_pipe,
entrybleed, and overlayfs (and copy_fail_family via existing
dirtyfail_active_probes global). Detect quality across the corpus
materially improved this session.
This commit is contained in:
KaraZajac
2026-05-16 20:22:32 -04:00
parent b206610a8e
commit 3eeee01f06
6 changed files with 259 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+6 -1
View File
@@ -51,10 +51,15 @@ NFT_DIR := modules/nf_tables_cve_2024_1086
NFT_SRCS := $(NFT_DIR)/iamroot_modules.c
NFT_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(NFT_SRCS))
# Family: overlayfs (CVE-2021-3493)
OVL_DIR := modules/overlayfs_cve_2021_3493
OVL_SRCS := $(OVL_DIR)/iamroot_modules.c
OVL_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(OVL_SRCS))
# Top-level dispatcher
TOP_OBJ := $(BUILD)/iamroot.o
ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS)
ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS)
.PHONY: all clean debug static help