TIPS & TRICKS

CVE-2015-1328 Local escalation of privileges vulnerability in Ubuntu

A local escalation of privileges vulnerability in Ubuntu linux distribution has been disclosed. A local escalation of privileges vulnerability, allows an attacker that has accessed victim host to escalate privileges to root by exploiting such vulnerability.This is pretty sensitive in environments where multiple users are accessing hosts and need to be isolated and separated in tasks and duties, as this will allow an attacker to access other user information and own the the affected hosts. In order to execute exploit attacker must first gain access to the box, and be able to compile and execute exploit. Attacker can as well compile exploit in similar system and upload to a directory with execute permissions.

This vulnerability is reported in the Canonical web site under, http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html and was originally discovered by Philip Petterson. It allows the escalation of privileges of users by using overlayfs inside user namespaces, as overlayfs file system does not correctly check file permissions when creating new files in the upper file system directory. This can allow an attacker to use unprivileged processes in kernels with CONFIG_USER_NS=y and where overlaysfs has the FS_USERNS_MOUNT flag, to mount overlayfs inside unprivileged mount spaces. Affected systems include

12.04, 14.04, 14.10, and 15.04.

Proof of concept
There are already proof of concept implementations of this exploit on the Internet. Below is a screenshot of the exploit executed in a brand new, un-patched Ubuntu 15.04 system.
Figure 1.  Local root escalation of privileges exploit proof of concept on Ubuntu 15.04
Mitigation
Even though this vulnerability requires prior access by the attacker, due to the popularity and widespread distribution of the affected Ubuntu versions, it is imperative to apply updates to the affected systems as soon as possible. Below is a Canonical mitigation advisory link for updating affected systems: http://www.ubuntu.com/usn/usn-2640-2/.
Detection
This exploit can be executed by a known and trusted user, which makes it more difficult to detect and prevent; however there are items that, if measured well, can provide information about possible attempts to exploit or actual exploitation.
–       System crashes
–       Access and use of affected kernel processes
–       Access to directories and files/executables otherwise prohibited to known user
–       Execution of commands only allowed to root account
–       Shell processes executed by root account
–       Change of permissions and installation of binaries during user session involving the use of root privileges
–       Modifications in host integrity checks (if applicable)
References

 

Splunk
Posted by

Splunk