cbcvebase.
CVE-2015-1328
published 2016-11-28

CVE-2015-1328: The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file…

PriorityP179high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
37.68%
98.3th percentile
The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.

Affected

6 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux<= 15.04
debianlinux
linuxlinux_kernel<= 3.19
linuxlinux_kernel>= 0 < 3.13.0-55.943.13.0-55.94
linuxlinux_kernel>= 0 < 3.13.0-55.923.13.0-55.92
ubuntulinux

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/ns_sploit
path/tmp/ofs-lib.c
path/tmp/ofs-lib.so
path/tmp/ns_sploit/work
path/tmp/ns_sploit/upper
path/tmp/ns_sploit/o
commandmount overlay /tmp/ns_sploit/o overlayfs lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper
commandmount overlay /tmp/ns_sploit/o overlay lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work
commandmount overlay /tmp/ns_sploit/o overlayfs lowerdir=/tmp/ns_sploit/upper,upperdir=/etc
commandgcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w
  • Detect creation of /tmp/ns_sploit directory tree (ns_sploit, ns_sploit/work, ns_sploit/upper, ns_sploit/o) as a strong indicator of CVE-2015-1328 exploitation attempt
  • Detect writing of /tmp/ofs-lib.so path string into /etc/ld.so.preload — the exploit writes exactly the string '/tmp/ofs-lib.so\n' (16 bytes) to ld.so.preload
  • Monitor for overlayfs/overlay mounts with upperdir=/etc by unprivileged users, which is the second-stage mount used to write into /etc
  • Detect presence of hardcoded Metasploit pre-compiled payload path /tmp/lXqzVpYN or /tmp/haxhax on disk, indicating use of the Metasploit overlayfs_priv_esc module
  • Monitor for on-the-fly compilation of exploit C source dropped to /tmp (e.g. ofs-lib.c) followed immediately by gcc invocation with -fPIC -shared flags from a non-build context
  • Kernel version fingerprinting: flag systems running Ubuntu kernels 3.13.0-24 through 3.13.0-54, 3.16.0-25 through 3.16.0-40, or 3.19.0-18 through 3.19.0-20 as vulnerable to CVE-2015-1328
  • ·The exploit requires overlayfs to be permitted in an arbitrary (unprivileged) mount namespace — this is an Ubuntu-specific kernel configuration not present in all Linux distributions
  • ·The workdir= mount option and 'overlay' filesystem type name (vs 'overlayfs') are only required on newer kernels; older kernels use 'overlayfs' without workdir
  • ·The Metasploit module defaults to CVE-2015-8660 (DefaultTarget => 1) and uses linux/x86/shell/reverse_tcp payload by default for compatibility due to the /bin/su execution requirement in CVE-2015-1328
  • ·The exploit's post-exploitation cleanup (removing /etc/ld.so.preload and /tmp/ofs-lib.so) is triggered inside the new session via /bin/su execution, which does not work on meterpreter sessions
  • ·The WritableDir must not be mounted noexec; the default is /tmp but this will fail if /tmp is mounted with noexec

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.