cbcvebase.
CVE-2015-8660
published 2015-12-28

CVE-2015-8660: The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to…

PriorityP349medium6.7CVSS 3.1
AVLACLPRHUINSUCHIHAH
EXPLOIT
EPSS
22.37%
97.4th percentile
The ovl_setattr function in fs/overlayfs/inode.c in the Linux kernel through 4.3.3 attempts to merge distinct setattr operations, which allows local users to bypass intended access restrictions and modify the attributes of arbitrary overlay files via a crafted application.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianlinux< linux 4.3.3-3 (bookworm)linux 4.3.3-3 (bookworm)
linuxlinux_kernel>= 0 < 4.3.3-34.3.3-3
linuxlinux_kernel>= 0 < 4.3.3-34.3.3-3
linuxlinux_kernel>= 0 < 4.3.3-34.3.3-3
linuxlinux_kernel>= 0 < 4.3.3-34.3.3-3
linuxlinux_kernel>= 3.18 < 3.18.313.18.31
linuxlinux_kernel>= 3.19 < 4.1.224.1.22
linuxlinux_kernel>= 4.2 < 4.44.4

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/x/bin
filenameUserNamespaceOverlayfsSetuidWriteExec
commandmount overlay /tmp/haxhax/o overlay MS_MGC_VAL lowerdir=/bin,upperdir=/tmp/haxhax/u,workdir=/tmp/haxhax/w
  • Look for creation of the directory /tmp/haxhax with subdirectories w, u, o — a hallmark of the CVE-2015-8660 exploit (EDB-39166). Auditd or inotify rules on /tmp directory creation can surface this.
  • Alert on st_mode == 0x89ed (setuid bash, mode 04755) appearing in /tmp/haxhax/u/ — the exploit checks this exact value to confirm successful privilege escalation.
  • Monitor for writes to /proc/<pid>/uid_map and /proc/<pid>/gid_map combined with overlayfs mount activity from unprivileged users, as used by the EDB-39230 variant.
  • Detect the Metasploit pre-compiled payload artifact at hardcoded path /tmp/1H0qLaq2 (CVE-2015-8660 pre-compiled binary drop) or /tmp/lXqzVpYN (CVE-2015-1328 variant).
  • Flag execution of binaries named '8660' or '1328' dropped under a writable directory (default /tmp), compiled or pre-compiled, as part of the Metasploit overlayfs module exploitation chain.
  • Vulnerable kernel version ranges for targeted detection: Ubuntu 3.19.0-18 through 3.19.0-42 and 4.2.0-18 through 4.2.0-22; Fedora kernels before 4.2.8; Red Hat kernels before 3.10.0-327.
  • ·The Metasploit module defaults to the CVE-2015-8660 target (DefaultTarget => 1) and uses linux/x86/shell/reverse_tcp as the default payload for compatibility; defenders should account for both x86 and x86_64 payload variants.
  • ·The exploit requires the target directory (default /tmp) to not be mounted noexec; environments with noexec on /tmp will block the compiled/dropped binary from executing.
  • ·The EDB-39166 exploit only works on kernels before 2015-12-26 (the patch date); systems updated after that date are not vulnerable.

CVSS provenance

nvdv3.16.7MEDIUMCVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv6.7MEDIUM
vendor_debian6.7MEDIUM
vendor_redhat6.7MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.