CVE-2015-8660
published 2015-12-28CVE-2015-8660: The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to…
PriorityP349medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EXPLOIT
EPSS
22.37%
97.4th percentile
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.3.3-3 (bookworm) | linux 4.3.3-3 (bookworm) |
| linux | linux_kernel | >= 0 < 4.3.3-3 | 4.3.3-3 |
| linux | linux_kernel | >= 0 < 4.3.3-3 | 4.3.3-3 |
| linux | linux_kernel | >= 0 < 4.3.3-3 | 4.3.3-3 |
| linux | linux_kernel | >= 0 < 4.3.3-3 | 4.3.3-3 |
| linux | linux_kernel | >= 3.18 < 3.18.31 | 3.18.31 |
| linux | linux_kernel | >= 3.19 < 4.1.22 | 4.1.22 |
| linux | linux_kernel | >= 4.2 < 4.4 | 4.4 |
Detection & IOCsextracted from sources · hover to see the quote
commandmount overlay /tmp/haxhax/o overlay MS_MGC_VAL lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w↗
- →Look for creation of the directory /tmp/haxhax with subdirectories w, u, o — a hallmark of the CVE-2015-8660 exploit (EDB-39166). Auditd or inotify rules on /tmp directory creation can surface this. ↗
- →Alert on st_mode == 0x89ed (setuid bash, mode 04755) appearing in /tmp/haxhax/u/ — the exploit checks this exact value to confirm successful privilege escalation. ↗
- →Monitor for writes to /proc/<pid>/uid_map and /proc/<pid>/gid_map combined with overlayfs mount activity from unprivileged users, as used by the EDB-39230 variant. ↗
- →Detect the Metasploit pre-compiled payload artifact at hardcoded path /tmp/1H0qLaq2 (CVE-2015-8660 pre-compiled binary drop) or /tmp/lXqzVpYN (CVE-2015-1328 variant). ↗
- →Flag execution of binaries named '8660' or '1328' dropped under a writable directory (default /tmp), compiled or pre-compiled, as part of the Metasploit overlayfs module exploitation chain. ↗
- →Vulnerable kernel version ranges for targeted detection: Ubuntu 3.19.0-18 through 3.19.0-42 and 4.2.0-18 through 4.2.0-22; Fedora kernels before 4.2.8; Red Hat kernels before 3.10.0-327. ↗
- ·The Metasploit module defaults to the CVE-2015-8660 target (DefaultTarget => 1) and uses linux/x86/shell/reverse_tcp as the default payload for compatibility; defenders should account for both x86 and x86_64 payload variants. ↗
- ·The exploit requires the target directory (default /tmp) to not be mounted noexec; environments with noexec on /tmp will block the compiled/dropped binary from executing. ↗
- ·The EDB-39166 exploit only works on kernels before 2015-12-26 (the patch date); systems updated after that date are not vulnerable. ↗
CVSS provenance
nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv6.7MEDIUM
vendor_debian6.7MEDIUM
vendor_redhat6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Linux kernel (Wily HWE) vulnerability
vendor_ubuntu·2016-01-05
CVE-2015-8660 Linux kernel (Wily HWE) vulnerability
Title: Linux kernel (Wily HWE) vulnerability
Summary: The system could be made to run programs as an administrator.
Nathan Williams discovered that overlayfs in the Linux kernel incorrectly
handled setattr operations. A local unprivileged attacker could use this to
create files with administrative permission attributes and execute
arbitrary code with elevated privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-R
Ubuntu
Linux kernel (Raspberry Pi 2) vulnerability
vendor_ubuntu·2016-01-05
CVE-2015-8660 Linux kernel (Raspberry Pi 2) vulnerability
Title: Linux kernel (Raspberry Pi 2) vulnerability
Summary: The system could be made to run programs as an administrator.
Nathan Williams discovered that overlayfs in the Linux kernel incorrectly
handled setattr operations. A local unprivileged attacker could use this to
create files with administrative permission attributes and execute
arbitrary code with elevated privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic
Ubuntu
Linux kernel (Vivid HWE) vulnerability
vendor_ubuntu·2016-01-05
CVE-2015-8660 Linux kernel (Vivid HWE) vulnerability
Title: Linux kernel (Vivid HWE) vulnerability
Summary: The system could be made to run programs as an administrator.
Nathan Williams discovered that overlayfs in the Linux kernel incorrectly
handled setattr operations. A local unprivileged attacker could use this to
create files with administrative permission attributes and execute
arbitrary code with elevated privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-
Ubuntu
Linux kernel vulnerability
vendor_ubuntu·2016-01-05
CVE-2015-8660 Linux kernel vulnerability
Title: Linux kernel vulnerability
Summary: The system could be made to run programs as an administrator.
Nathan Williams discovered that overlayfs in the Linux kernel incorrectly
handled setattr operations. A local unprivileged attacker could use this to
create files with administrative permission attributes and execute
arbitrary code with elevated privileges.
Instructions: After a standard system update you need to reboot your computer to make
all the necessary changes.
ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, lin
Red Hat
kernel: Permission bypass on overlayfs during copy_up
vendor_redhat·2015-12-04·CVSS 6.7
CVE-2015-8660 [MEDIUM] CWE-732 kernel: Permission bypass on overlayfs during copy_up
kernel: Permission bypass on overlayfs during copy_up
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
Statement: This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6 as the code with the flaw is not present in the products listed.
This issue does not
Debian
CVE-2015-8660: linux - The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3...
vendor_debian·2015·CVSS 6.7
CVE-2015-8660 [MEDIUM] CVE-2015-8660: linux - The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3...
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
Scope: local
bookworm: resolved (fixed in 4.3.3-3)
bullseye: resolved (fixed in 4.3.3-3)
forky: resolved (fixed in 4.3.3-3)
sid: resolved (fixed in 4.3.3-3)
trixie: resolved (fixed in 4.3.3-3)
GHSA
GHSA-2m7p-qcqr-gfv2: The ovl_setattr function in fs/overlayfs/inode
ghsa_unreviewed·2022-05-17
CVE-2015-8660 [HIGH] GHSA-2m7p-qcqr-gfv2: The ovl_setattr function in fs/overlayfs/inode
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
OSV
CVE-2015-8660: The ovl_setattr function in fs/overlayfs/inode
osv·2015-12-28·CVSS 6.7
CVE-2015-8660 [MEDIUM] CVE-2015-8660: The ovl_setattr function in fs/overlayfs/inode
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.
No detection rules found.
Exploit-DB
Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit)
exploitdb·2016-11-02·CVSS 7.8
CVE-2015-1328 [HIGH] Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit)
Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule 'Overlayfs Privilege Escalation',
'Description' => %q{
This module attempts to exploit two different CVEs related to overlayfs.
CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) MSF_LICENSE,
'Author' =>
[
'h00die ', # Module
'rebel' # Discovery
],
'DisclosureDate' => 'Jun 16 2015',
'Platform' => [ 'linux'],
'Arch' => [ ARCH_X86, ARCH_X86_64 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' =>
[
[ 'CVE-2015-1328', { } ],
[ 'CVE-2015-8660', { } ]
],
'DefaultTarget' => 1,
'DefaultOptions' =>
{
'pay
Exploit-DB
Linux Kernel 4.3.3 - 'overlayfs' Local Privilege Escalation (2)
exploitdb·2016-01-12
CVE-2015-8660 Linux Kernel 4.3.3 - 'overlayfs' Local Privilege Escalation (2)
Linux Kernel 4.3.3 - 'overlayfs' Local Privilege Escalation (2)
---
/** This software is provided by the copyright owner "as is" and any
* expressed or implied warranties, including, but not limited to,
* the implied warranties of merchantability and fitness for a particular
* purpose are disclaimed. In no event shall the copyright owner be
* liable for any direct, indirect, incidential, special, exemplary or
* consequential damages, including, but not limited to, procurement
* of substitute goods or services, loss of use, data or profits or
* business interruption, however caused and on any theory of liability,
* whether in contract, strict liability, or tort, including negligence
* or otherwise, arising in any way out of the use of this software,
* even if advised of the possibility of
Exploit-DB
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
exploitdb·2016-01-05·CVSS 6.7
CVE-2015-8660 [MEDIUM] Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)
---
/*
just another overlayfs exploit, works on kernels before 2015-12-26
# Exploit Title: overlayfs local root
# Date: 2016-01-05
# Exploit Author: rebel
# Version: Ubuntu 14.04 LTS, 15.10 and more
# Tested on: Ubuntu 14.04 LTS, 15.10
# CVE : CVE-2015-8660
blah@ubuntu:~$ id
uid=1001(blah) gid=1001(blah) groups=1001(blah)
blah@ubuntu:~$ uname -a && cat /etc/issue
Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 14.04.3 LTS \n \l
blah@ubuntu:~$ ./overlayfail
root@ubuntu:~# id
uid=0(root) gid=1001(blah) groups=0(root),1001(blah)
12/2015
by rebel
6354b4e23db225b565d79f226f2e49ec0fe1e19b
*/
#include
#include
#include
#include
#inclu
Metasploit
Overlayfs Privilege Escalation
metasploit·CVSS 7.8
CVE-2015-1328 [HIGH] Overlayfs Privilege Escalation
Overlayfs Privilege Escalation
This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)
Bugzilla
CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up [fedora-all]
bugzilla·2015-12-14·CVSS 6.7
CVE-2015-8660 [MEDIUM] CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up [fedora-all]
CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up
bugzilla·2015-12-14·CVSS 6.7
CVE-2015-8660 [MEDIUM] CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up
CVE-2015-8660 kernel: Permission bypass on overlayfs during copy_up
A security issue was fixed in kernel 4.4-rc4 resolving the bypassing of filesystem permission checks in overlayfs during the initial copy_up.
Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545
Discussion:
Acknowledgements:
Name: Nathan Williams
---
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1291332]
---
kernel-4.2.8-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
---
kernel-4.2.8-300.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
---
Statemen
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00039.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00040.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00043.htmlhttp://packetstormsecurity.com/files/135151/Ubuntu-14.04-LTS-15.10-overlayfs-Local-Root.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1532.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1539.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1541.htmlhttp://www.openwall.com/lists/oss-security/2015/12/23/5http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/79671http://www.securitytracker.com/id/1034548http://www.ubuntu.com/usn/USN-2857-1http://www.ubuntu.com/usn/USN-2857-2http://www.ubuntu.com/usn/USN-2858-1http://www.ubuntu.com/usn/USN-2858-2http://www.ubuntu.com/usn/USN-2858-3https://bugzilla.redhat.com/show_bug.cgi?id=1291329https://github.com/torvalds/linux/commit/acff81ec2c79492b180fade3c2894425cd35a545https://www.exploit-db.com/exploits/39166/https://www.exploit-db.com/exploits/39230/https://www.exploit-db.com/exploits/40688/http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=acff81ec2c79492b180fade3c2894425cd35a545http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00039.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00040.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00043.htmlhttp://packetstormsecurity.com/files/135151/Ubuntu-14.04-LTS-15.10-overlayfs-Local-Root.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1532.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1539.htmlhttp://rhn.redhat.com/errata/RHSA-2016-1541.htmlhttp://www.openwall.com/lists/oss-security/2015/12/23/5http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.htmlhttp://www.oracle.com/technetwork/topics/security/ovmbulletinjul2016-3090546.htmlhttp://www.securityfocus.com/bid/79671http://www.securitytracker.com/id/1034548http://www.ubuntu.com/usn/USN-2857-1http://www.ubuntu.com/usn/USN-2857-2http://www.ubuntu.com/usn/USN-2858-1http://www.ubuntu.com/usn/USN-2858-2http://www.ubuntu.com/usn/USN-2858-3https://bugzilla.redhat.com/show_bug.cgi?id=1291329https://github.com/torvalds/linux/commit/acff81ec2c79492b180fade3c2894425cd35a545https://www.exploit-db.com/exploits/39166/https://www.exploit-db.com/exploits/39230/https://www.exploit-db.com/exploits/40688/
2015-12-28
Published