Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2015-06-20 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Overlayfs flaw in Ubuntu

Published: 2015-06-20
Last Updated: 2015-06-22 02:00:52 UTC
by Mark Hofman (Version: 1)
0 comment(s)

There was a vulnerability released earlier this week that has quite the potential to be a biggie. It is worth noting mainly because Ubuntu is quite prevalent and the propensity to patch systems is quite low, or at least slow. Ubuntu is also used as part of the underlying infrastructure for many a VPS provider. 

The issue was discovered by Philip Pettersson and the details can be found here --> http://seclists.org/oss-sec/2015/q2/717

What it boils down to is an issue in overlayfs and permissions checking.  
One use for overlayfs is to present a writable files system when the underlying file system is read only.  When a file needs to be writable it is copied from the lower directory (real file system) to the upper file system where it can be modified.  Philip worked out that the permission needed is that of the original file owner rather than the user triggering the copy_up.  

The POC shows a number of things that can be done using this vulnerability.  

The patch is out, so that should be the first choice. If you can't patch you may be able to blacklist the module on your system (modify /etc/modprobe.d/blacklist or /etc/modprobe.d/blacklist.conf) on your system.  

POC: https://www.exploit-db.com/exploits/37292/  and 37293

Mark H - Shearwater

Keywords:
0 comment(s)
Diary Archives