leviathan
4e9741ef1f
Distro-agnostic overlayfs LPE — complements Ubuntu-specific CVE-2021-3493.
Same overlayfs family.
The bug: overlayfs copy_up preserves setuid bits even when the
unprivileged user triggering copy-up wouldn't normally have CAP_FSETID.
Exploit:
1. unshare(USER|NS), uid_map self → root in userns
2. Find a setuid binary on host (/usr/bin/su, sudo, passwd auto-pick)
3. mount overlayfs with the binary's dirname as lower
4. chown(merged/<binary>, 0, 0) — triggers copy-up; THE BUG: setuid
bit persists in upper-layer copy despite our unprivileged context
5. Open + truncate + replace upper-layer content with our payload
(a compiled C binary that setresuid(0,0,0) + execle /bin/sh -p)
6. exec upper-layer binary — runs as root via persistent setuid bit
- kernel_range: 5.11 ≤ K < 6.3, backports 5.15.110 / 6.1.27 / 6.2.13
- Detect refuses on patched / missing setuid carrier / userns denied
- Cleanup: rm -rf /tmp/iamroot-ovlsu-*
- Auditd: mount(overlay) + chown/fchown chain — shared with
CVE-2021-3493 module via the family-level 'iamroot-overlayfs' key
- Compiles payload via target's gcc/cc (fallback dynamic if no -static)
Verified on Debian 6.12.86 (patched): detect reports OK; exploit
refuses cleanly. Module count = 20.
Coverage by year now (only 2018 gap remaining):
2016: dirty_cow 🟢
2017: af_packet 🔵
2019: ptrace_traceme 🟢
2020: af_packet2 🔵
2021: pwnkit, overlayfs, netfilter_xtcompat 🟢/🟢/🔵
2022: dirty_pipe, cls_route4, fuse_legacy,
cgroup_release_agent 🟢/🔵/🔵/🟢
2023: entrybleed, stackrot, overlayfs_setuid 🟢/🔵/🟢
2024: nf_tables 🔵
2026: copy_fail family (×5) 🟢🟢🟢🟢🟢
16 of 20 modules have FULL working exploits (🟢).
13 lines
262 B
C
13 lines
262 B
C
/*
|
|
* overlayfs_setuid_cve_2023_0386 — IAMROOT module registry hook
|
|
*/
|
|
|
|
#ifndef OVERLAYFS_SETUID_IAMROOT_MODULES_H
|
|
#define OVERLAYFS_SETUID_IAMROOT_MODULES_H
|
|
|
|
#include "../../core/module.h"
|
|
|
|
extern const struct iamroot_module overlayfs_setuid_module;
|
|
|
|
#endif
|