Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: Overlayfs flaw in Ubuntu - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Overlayfs flaw in Ubuntu

There was a vulnerability released earlier this week that has quite the potential to be a biggie. It is worth noting mainly because Ubuntu is quite prevalent and the propensity to patch systems is quite low, or at least slow. Ubuntu is also used as part of the underlying infrastructure for many a VPS provider. 

The issue was discovered by Philip Pettersson and the details can be found here --> http://seclists.org/oss-sec/2015/q2/717

What it boils down to is an issue in overlayfs and permissions checking.  
One use for overlayfs is to present a writable files system when the underlying file system is read only.  When a file needs to be writable it is copied from the lower directory (real file system) to the upper file system where it can be modified.  Philip worked out that the permission needed is that of the original file owner rather than the user triggering the copy_up.  

The POC shows a number of things that can be done using this vulnerability.  

The patch is out, so that should be the first choice. If you can't patch you may be able to blacklist the module on your system (modify /etc/modprobe.d/blacklist or /etc/modprobe.d/blacklist.conf) on your system.  

POC: https://www.exploit-db.com/exploits/37292/  and 37293

Mark H - Shearwater

Mark

391 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!