[New Rule] Potential Privilege Escalation via OverlayFS #2974

Aegrah · 2023-07-28T13:39:33Z

Summary

Identifies an attempt to exploit a local privilege escalation (CVE-2023-2640 and CVE-2023-32629) via a flaw in Ubuntu's modifications to OverlayFS. These flaws allow the creation of specialized executables, which, upon execution, grant the ability to escalate privileges to root on the affected machine.

Detection

sequence by process.parent.entity_id, host.id with maxspan=1s
[ process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
  process.name == "unshare" and process.args : ("-r", "-rm", "m") and process.args : "*cap_setuid*" ]
[ process  where host.os.type == "linux" and event.action == "uid_change" and event.type == "change" and 
  user.name == "root" ]

This reverts commit f3262d1.

DefSecSentinel

LGTM

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <[email protected]>

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <[email protected]>

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Co-authored-by: Justin Ibarra <[email protected]>

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

brokensound77

How did you test this? Specific POC?

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

Aegrah · 2023-07-28T14:39:57Z

@brokensound77 Testing was done through PoC available at https://twitter.com/liadeliyahu/status/1684841527959273472, and manually analysis by looking at their blog https://www.wiz.io/blog/ubuntu-overlayfs-vulnerability. I know this rule is slightly too specific, and might be easy bypassable, but for now this is the only POC available so therefore I wrote logic to detect it as-is.

rules/linux/privilege_escalation_overlayfs_local_privesc.toml

* [New Rule] Privilege Escalation via OverlayFS * Layout change * Revert "[New Rule] Privilege Escalation via OverlayFS" This reverts commit f3262d1. * Made rule broader * Update privilege_escalation_overlayfs_local_privesc.toml * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml Co-authored-by: Justin Ibarra <[email protected]> * Update rules/linux/privilege_escalation_overlayfs_local_privesc.toml * Update user.id to strings --------- Co-authored-by: Justin Ibarra <[email protected]> (cherry picked from commit b8bb2da)

Aegrah added 2 commits July 28, 2023 15:37

[New Rule] Privilege Escalation via OverlayFS

f3262d1

Layout change

a6a5251

Aegrah added OS: Linux Rule: New Proposal for new rule Domain: Endpoint backport: auto labels Jul 28, 2023

Aegrah requested review from w0rk3r, shashank-elastic and eric-forte-elastic July 28, 2023 13:39

Aegrah self-assigned this Jul 28, 2023

Aegrah changed the title ~~New rule CVE 2023 32629 and 2640~~ [New Rule] Potential Privilege Escalation via OverlayFS Jul 28, 2023

Aegrah added 2 commits July 28, 2023 15:40

Revert "[New Rule] Privilege Escalation via OverlayFS"

580f59d

This reverts commit f3262d1.

Made rule broader

b314d8b

DefSecSentinel approved these changes Jul 28, 2023

View reviewed changes

Update privilege_escalation_overlayfs_local_privesc.toml

1006634

brokensound77 reviewed Jul 28, 2023

View reviewed changes