There is a privilege-escalation vulnerability in several versions of Ubuntu that results from the fact that the operating system fails to check permissions when users are creating files in some specific circumstances.
Security researcher Philip Pettersson discovered the vulnerability and reported it to Canonical, which maintains Ubuntu. The company has patched the bug, which is present in versions 12.04, 14.04, 14.10, and 15.04. If a local attacker is able to exploit the vulnerability he could get a root shell on a target machine. The vulnerability itself lies in the overlayfs component of Ubuntu, a file system that is designed to be a writeable filesystem in cases where an underlying one is read-only.
“The overlayfs filesystem does not correctly check file permissions when creating new files in the upper filesystem directory. This can be exploited by an unprivileged process in kernels with CONFIG_USER_NS=y and where overlayfs has the FS_USERNS_MOUNT flag, which allows the mounting of overlayfs inside unprivileged mount namespaces. This is the default configuration of Ubuntu 12.04, 14.04, 14.10, and 15.04,” the advisory from Pettersson says.
Pettersson has developed and published a proof-of-concept exploit for the Ubuntu vulnerability that gives the user a root shell. He said an attacker also would have the ability to list the contents of any directory on the machine, regardless of the permissions.
“The ovl_copy_up_* functions do not correctly check that the user has permission to write files to the upperdir directory. The only permissions that are checked is if the owner of the file that is being modified has permission to write to the upperdir. Furthermore, when a file is copied from the lowerdir the file metadata is carbon copied, instead of attributes such as owner being changed to the user that triggered the copy_up_* procedures,” the advisory says.
The patch for this vulnerability, CVE-2015-1328, caused a problem with version 12.04 of Ubuntu.
“The Fix for CVE-2015-1328 introduced a regression into the Linux kernel’s overlayfs file system. The removal of a directory that only exists on the lower layer results in a kernel panic,” a separate Ubuntu advisory says.