owen:$6$salt$hash:0:0:root:/root:/bin/bash After a successful exploit, the attacker runs su owen (no password needed depending on the crafted hash) and becomes root. Disclaimer: Only run this on systems you own or have explicit written permission to test.
In this post, we will analyze the most famous exploit targeting this kernel: (aka "Overlayfs"). The Target: Ubuntu 14.04.5 LTS - Kernel 3.13.0-32-generic First, let's identify the target. An attacker who gains low-privileged access (e.g., www-data via a webshell, or a standard user) will run: linux 3.13.0-32-generic exploit
Posted by: Security Research Team Date: October 26, 2023 (Updated) Difficulty: Advanced Introduction If you have been in the cybersecurity space for a while, you have likely stumbled upon a vulnerability report or an exploit script mentioning a specific kernel string: linux 3.13.0-32-generic . The Target: Ubuntu 14
This particular kernel version is iconic for a specific reason: it is the default generic kernel for (released April 2014). While ancient today, this kernel represents a golden era for privilege escalation (Local Privilege Escalation - LPE) research. For penetration testers and red teamers, finding this kernel on a target in 2024 is a "sure win." For blue teams, understanding why it is vulnerable is a masterclass in kernel security. While ancient today, this kernel represents a golden
uname -a Linux target 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux cat /etc/issue Ubuntu 14.04.5 LTS \n \l
This output tells the attacker that the system has against a family of race condition bugs in the Overlay Filesystem. The Vulnerability: CVE-2015-1328 (Overlayfs) The 3.13.0 kernel introduced Overlayfs as a union filesystem. It allows one directory (lower) to be overlaid on top of another (upper) to create a merged view. Docker uses similar concepts.
char opts[256]; snprintf(opts, sizeof(opts), "lowerdir=%s,upperdir=%s,workdir=%s", lower, upper, work); mount("overlay", merged, "overlayfs", 0, opts); Now, inside /tmp/merged , the file file appears. If you edit it, the changes actually go to /tmp/upper/file . This is where the exploit deviates from normal behavior. The attacker creates a second thread. Thread A tries to rename the file from the overlay to a protected location (e.g., /etc/cron.d/exploit ). Thread B constantly churns the filesystem by creating and deleting files in the upper directory.