CVE-2021–3493 — OverlayFS — Privilege Escalation
Introduction
This vulnerability allows attackers with local access to escalate their privileges and gain root on the target system. It allows you to manipulate files within the OverlayFS filesystem with which you can modify system files and execute arbitrary code with elevated privileges or give yourself a root on the system.
CVE : CVE-2021–3493 (Critical)
Affected Versions
Ubuntu 20.10
Ubuntu 20.04 LTS
Ubuntu 19.04
Ubuntu 18.04 LTS
Ubuntu 16.04 LTS
Ubuntu 14.04 ESM
What is OverlayFS?
OverlayFS is a Linux kernel module that allows the system to combine several mount points into one so that you can access all the files from each within one directory structure.
Live USBs or some other specialist applications often use it. One use is having a read-only root file system, and another partition “overlayed” with that to allow applications to write to a temporary file system.
Simplified:
OverlayFS is basically like a transparent overlay that combines multiple folders into one. It allows you to see and access files from various folders as if they were all in one folder or the same place. Changes you make in the overlay do not affect any of the original folders underneath. It’s kind of like wearing glasses that show you a merged view of various folders without actually moving or changing them.
This exploit is fairly easy to understand and to perform. But its efficiency is brutal. It gives you almost an instant root.
Lab setup:
To set up the lab for this exploit you need to install one of the affected versions from above on your Virtual Machine.
You will also need gcc and git utilities for this exploit, you can install them with the following commands:
$ sudo apt install git
$ sudo apt install gcc
Now you should be ready to go and get that easy root!
Vulnerability Analysis
We will first explain this Vulnerability in more complex terms, then after we will use some simpler terms to analyze it so you can understand this exploit easier.
in this code, the setxattr function is used to set an extended file attribute on a file specified by the path parameter. The parameter name represents the name of the attribute and the value parameter holds the value or data associated with the attribute.
Within the function, the vulnerability happens due to the absence of proper permission checks when using the operation to the file system. The call to cap_conver_nscap is missing the necessary checks which allow arbitrary capabilities to be set on files in the outer namespace/mount.
Simplified explanation:
This is the pseudo-code used for easier understanding of this exploit.
If you did not understand the above explanation here is an explanation I generally use to explain this vulnerability to people:
Imagine if there is a lock on a box and only certain people with the right fingerprint can open it. Well now imagine this, in this case, the lock forgets to check if the person trying to open the box has the correct fingerprint. The result of this is that anyone can open the box even without the correct fingerprints. This vulnerability means unauthorized people can set these special attributes on files which leads to security issues and unauthorized access.
Exploit Analysis
https://github.com/briskets/CVE-2021-3493/blob/main/exploit.c
(I will show you how to use the exploit in the PoC section)
I will try to simplify the analysis of this exploit.
Basically, this code takes advantage of the vulnerability in Overa=layFS to gain unauthorized access and execute commands with elevated privileges.
I will analyze the important parts of the code of the exploit that you need to understand.
These are simple steps of how this exploit works:
Step 1: It creates the required directories. These directories server as the foundation for the exploit. The program makes sure that the directories are created and it sets the needed permissions for them.
Step 2: It isolates the program using namespaces. It basically creates a bubble around it, like putting the program in its own world. This helps keep things secure and prevents it from messing up stuff on the computer.
Step 3: Setting up specific permissions using setuid and setgid . It is basically giving the program temporary superpowers to perform privileged actions, that the user wouldn’t normally be allowed to.
Step 4: Mounting the OverlayFS filesystem. Think of it as creating a new virtual layer on top of an existing filesystem. This virtual layer combines multiple directories into a single unified view.
Step 5: Copying the executable to the merged directory. This copy is necessary because it will be modified to gain additional privileges.
Step 6: Setting the special attribute on the copied executable. This attribute grants the file additional capabilities and privileges. By setting up this attribute the program makes sure that when the executable is executed it will have the elevated permissions.
Step 7: Executing a shell with elevated privileges. This means that the shell is running with higher permissions. The program gains full control over the system.
I hope you understood these important parts of the exploit. I tried to simplify the steps so you can understand it without knowing the C language.
PoC
To use the exploit you will first need to download it using git:
$ git clone https://github.com/briskets/CVE-2021-3493/tree/main
Then enter into the directory:
$ cd CVE-2021-3943
After that use gcc to compile the C code into an executable one:
gcc exploit.c -o exploit
And then, use the exploit! yeah simple as that!
$ ./exploit
Then you should be prompted a root shell!
Use command $ whoami to check if you are root.
In the example below I have used Ubuntu 18.04 LTS (You can install any of the Affected Versions)
Patch Diffing
This is the patched source code commit https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7c03e2cda4a584cadc398e8f6641ca9988a39d52 .
In the original version there is this piece of code that would cause the OverlayFS vulnerability. This patch fixed this by adding a check before performing a certain operation. Now, the code only performs the operation if the name of the attribute is “XATTR_NAME_CAPS” and the size is not zero.
The main change was they moved cap_conver_nscap permission check to vfs_setxattr from setxattr .
The safety check added in the patch is a conditional statement that verifies two conditions before performing a critical operation.
The code checks for two conditions simultaneously.
size && strcmp(name, XATTR_NAME_CAPS) == 0
size refers to the size of the attribute
strcpm(name, XATTR_NAME_CAPS) == 0 checks if the name of the attribute is equal to XATTR_NAME_CAPS using a string comparison.
XATTR_NAME_CAPS is used to indicate a specific type of extended attribute related to capabilities or permissions.
If both conditions are true, the code proceeds to the next step which is the critical operation.
By validating these conditions, the patch prevents any potential vulnerabilities that could arise from malicious inputs or incorrect attribute handling.
Mitigation and Counter measures
Ensure your Linux Kernel is updated to a version where the vulnerability has been patched. Check for security updates all the time and apply them.
sudo apt update
sudo apt upgrade
these commands will apply the newest patches available for your system.
Use a security enhanced kernel such as SELinux or AppArmor which provide additional access control and mechanisms.
For SELinux:
sudo apt install selinux-basics selinux-policy-default
sudo selinux-activate
For AppArmor:
sudo apt install apparmor apparmor-utils
sudo aa-enforce /etc/apparmor.d/*
You should also disable setuid/setgid permissions if they are not required by your system. This prevents privilege elevation though those binaries
sudo chmod u-s <path-to-binary>
sudo chmod g-c <path-to-binary>
Replace <path-to-binary> with the path to the binary you wan to remove the permissions from.
Apply Principle of Least Privilege (POLP)
- Avoid running apps with root privileges whenever it is possible.
- Use separate user accounts for different services or applications
- Restrict file permissions to make sure that only necessary users or groups have access to those sensitive files
These are just some of the most basic steps to protecting your system from this vulnerability and others. Remember that implementing a layered defense approach and adopting a proactive security mindset is crucial in mitigating and reducing the risks of exploitation.
Conclusion
In this blog post we explored a critical vulnerability and its exploit. In vulnerability analysis, we saw the significance of identifying weaknesses that can be exploited. It delved into technical details where we explained the flaw and its consequences. By analyzing the exploit code we provided insights on how the vulnerability could be used to elevate privileges and gain unauthorized access.
