Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Overlayfs flaw in Ubuntu SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Overlayfs flaw in Ubuntu

There was a vulnerability released earlier this week that has quite the potential to be a biggie. It is worth noting mainly because Ubuntu is quite prevalent and the propensity to patch systems is quite low, or at least slow. Ubuntu is also used as part of the underlying infrastructure for many a VPS provider. 

The issue was discovered by Philip Pettersson and the details can be found here --> http://seclists.org/oss-sec/2015/q2/717

What it boils down to is an issue in overlayfs and permissions checking.  
One use for overlayfs is to present a writable files system when the underlying file system is read only.  When a file needs to be writable it is copied from the lower directory (real file system) to the upper file system where it can be modified.  Philip worked out that the permission needed is that of the original file owner rather than the user triggering the copy_up.  

The POC shows a number of things that can be done using this vulnerability.  

The patch is out, so that should be the first choice. If you can't patch you may be able to blocklist the module on your system (modify /etc/modprobe.d/blocklist or /etc/modprobe.d/blocklist.conf) on your system.  

POC: https://www.exploit-db.com/exploits/37292/  and 37293

Mark H - Shearwater

Mark

391 Posts
ISC Handler
Jun 22nd 2015

Sign Up for Free or Log In to start participating in the conversation!