module
GameOver(lay) Privilege Escalation and Container Escape
| Disclosed | Created |
|---|---|
| 2023-07-26 | 2024-12-19 |
Disclosed
2023-07-26
Created
2024-12-19
Description
This module exploits the use of unsafe functions in a number of Ubuntu kernels
utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux
kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent
changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is
called during ovl_do_setxattr without calling the intermediate safety function
vfs_setxattr. Ultimatly this module allows for root access to be achieved by
writing setuid capabilities to a file which are not sanitized after being unioned
with the upper mounted directory.
utilizing vunerable versions of overlayfs. To mitigate CVE-2021-3493 the Linux
kernel added a call to vfs_setxattr during ovl_do_setxattr. Due to independent
changes to the kernel by the Ubuntu development team __vfs_setxattr_noperm is
called during ovl_do_setxattr without calling the intermediate safety function
vfs_setxattr. Ultimatly this module allows for root access to be achieved by
writing setuid capabilities to a file which are not sanitized after being unioned
with the upper mounted directory.
Authors
g1vi
h00die
bwatters-r7
gardnerapp
h00die
bwatters-r7
gardnerapp
Platform
Linux,Unix
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.