Skip to content

How To Add Exploit (CVE-2023-0386 OverlayFS) #99

Description

@IppSec

I was hoping to add the somewhat recent OverlayFS Bug, but am having trouble getting this working as I would expect. I think the root of the problem could just be this script doesn't do a great job with Ubuntu's crazy kernel scheme of putting the minor version after a dash.

I added the following:

EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2023-0386]${txtrst} OverlayFS FuseFS SetUID Copy
Reqs: pkg=linux-kernel,ver<5.15.70
Tags: ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}
Rank: 1
analysis-url: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
src-url: https://github.com/xkaneiki/CVE-2023-0386
Comments: 
author: vulnerability discovery: Red Hat
EOF
)

But when I run it on my updated VM, it still says highly probable. That being said a lot of other kernel checks say its vulnerable.

uname output:

Linux ubuntu 5.15.0-73-generic #80~20.04.1-Ubuntu SMP Wed May 17 14:58:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

LES Output:

Available information:

Kernel version: 5.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

82 kernel space exploits
49 user space exploits

Possible Exploits:

[+] [CVE-2023-0386] OverlayFS FuseFS SetUID Copy

   Details: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
   Exposure: highly probable
   Tags: [ ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*} ]
   Download URL: https://github.com/xkaneiki/CVE-2023-0386

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: [ ubuntu=(20.04|21.04) ],debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

...

If I change the tag so it is not Ubuntu 20.04, the exploit moves from highly probable to less probable. Am I doing it correctly? I figured the

ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}

Would not match my uname of 5.15.0-73-generic.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions