leviathan/SKELETONKEY
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity

Add overlayfs_setuid CVE-2023-0386 — FULL working exploit

Browse Source 
Distro-agnostic overlayfs LPE — complements Ubuntu-specific CVE-2021-3493.
Same overlayfs family.

The bug: overlayfs copy_up preserves setuid bits even when the
unprivileged user triggering copy-up wouldn't normally have CAP_FSETID.

Exploit:
  1. unshare(USER|NS), uid_map self → root in userns
  2. Find a setuid binary on host (/usr/bin/su, sudo, passwd auto-pick)
  3. mount overlayfs with the binary's dirname as lower
  4. chown(merged/<binary>, 0, 0) — triggers copy-up; THE BUG: setuid
     bit persists in upper-layer copy despite our unprivileged context
  5. Open + truncate + replace upper-layer content with our payload
     (a compiled C binary that setresuid(0,0,0) + execle /bin/sh -p)
  6. exec upper-layer binary — runs as root via persistent setuid bit

- kernel_range: 5.11 ≤ K < 6.3, backports 5.15.110 / 6.1.27 / 6.2.13
- Detect refuses on patched / missing setuid carrier / userns denied
- Cleanup: rm -rf /tmp/iamroot-ovlsu-*
- Auditd: mount(overlay) + chown/fchown chain — shared with
  CVE-2021-3493 module via the family-level 'iamroot-overlayfs' key
- Compiles payload via target's gcc/cc (fallback dynamic if no -static)

Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 20.

Coverage by year now (only 2018 gap remaining):
  2016: dirty_cow                                  🟢
  2017: af_packet                                  🔵
  2019: ptrace_traceme                             🟢
  2020: af_packet2                                 🔵
  2021: pwnkit, overlayfs, netfilter_xtcompat      🟢/🟢/🔵
  2022: dirty_pipe, cls_route4, fuse_legacy,
        cgroup_release_agent                       🟢/🔵/🔵/🟢
  2023: entrybleed, stackrot, overlayfs_setuid     🟢/🔵/🟢
  2024: nf_tables                                  🔵
  2026: copy_fail family (×5)                      🟢🟢🟢🟢🟢

16 of 20 modules have FULL working exploits (🟢).
This commit is contained in:
KaraZajac
2026-05-16 21:11:37 -04:00
parent 6eab6d3f70
commit 4e9741ef1f
5 changed files with 419 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+6 -1
View File
@@ -101,10 +101,15 @@ CRA_DIR := modules/cgroup_release_agent_cve_2022_0492
CRA_SRCS := $(CRA_DIR)/iamroot_modules.c
CRA_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(CRA_SRCS))
# Family: overlayfs_setuid (CVE-2023-0386) — joins overlayfs family
OSU_DIR := modules/overlayfs_setuid_cve_2023_0386
OSU_SRCS := $(OSU_DIR)/iamroot_modules.c
OSU_OBJS := $(patsubst %.c,$(BUILD)/%.o,$(OSU_SRCS))
# Top-level dispatcher
TOP_OBJ := $(BUILD)/iamroot.o
ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS) $(PTM_OBJS) $(NXC_OBJS) $(AFP_OBJS) $(FUL_OBJS) $(STR_OBJS) $(AFP2_OBJS) $(CRA_OBJS)
ALL_OBJS := $(TOP_OBJ) $(CORE_OBJS) $(CFF_OBJS) $(DP_OBJS) $(EB_OBJS) $(PK_OBJS) $(NFT_OBJS) $(OVL_OBJS) $(CR4_OBJS) $(DCOW_OBJS) $(PTM_OBJS) $(NXC_OBJS) $(AFP_OBJS) $(FUL_OBJS) $(STR_OBJS) $(AFP2_OBJS) $(CRA_OBJS) $(OSU_OBJS)
.PHONY: all clean debug static help