Nikon Asia and its corporate websites and external third-party partners use cookies to improve our website and enhance your user experience. We use analytic cookies and marketing cookies to learn from user information, personalise advertisements and measure their effectiveness. These cookies track information such as how users navigate and use our website, users' analytics, and data on users' purchases. By clicking on "Accept Cookies" or continuing to browse without changing your settings, you agree and consent to the use of cookies by this website. For more information, please view our Privacy Policy
Linux 3.13.0-32-generic Exploit -
char opts[256]; snprintf(opts, sizeof(opts), "lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work); mount("overlay", merged, "overlayfs", 0, opts); Now, inside /tmp/merged , the file file appears. If you edit it, the changes actually go to /tmp/upper/file . This is where the exploit deviates from normal behavior. The attacker creates a second thread. Thread A tries to rename the file from the overlay to a protected location (e.g., /etc/cron.d/exploit ). Thread B constantly churns the filesystem by creating and deleting files in the upper directory.
The bug resided in the overlayfs implementation regarding the rename operation. Specifically, when renaming a file across directories on an overlayfs mount, the kernel failed to properly check permissions on the upper directory. A local attacker could exploit this race condition to rename a file from a world-writable location to a protected location (like /etc/passwd or /etc/sudoers ). In a normal filesystem, renaming a file requires write permissions on the source and target directories. However, in the buggy overlayfs code, the kernel performed the rename operation using the lower filesystem's credentials (which are privileged) instead of the calling user's credentials. linux 3.13.0-32-generic exploit
owen:$6$salt$hash:0:0:root:/root:/bin/bash After a successful exploit, the attacker runs su owen (no password needed depending on the crafted hash) and becomes root. Disclaimer: Only run this on systems you own or have explicit written permission to test. The attacker creates a second thread
# Compile the exploit gcc overlayfs.c -o exploit -lpthread id uid=1001(bob) gid=1001(bob) groups=1001(bob) The bug resided in the overlayfs implementation regarding
// Create a file we own int fd = open("lower/file", O_CREAT | O_RDWR, 0777); write(fd, "AAAA", 4); close(fd); This is the magic trick. The exploit mounts an overlay filesystem where lower is read-only (where the target file lives) and upper is writable (where changes go).
