A Proof of Concept (PoC) exploit for CVE-2015-1328# CVE-2015-1328 Proof of Concept
A Proof of Concept (PoC) exploit for CVE-2015-1328, a privilege escalation vulnerability affecting the Linux kernel's overlayfs implementation. This vulnerability allows local unprivileged users to gain root access by exploiting improper permission checks in overlayfs mount operations within user namespaces.
## Overview
CVE-2015-1328 is a critical security vulnerability that affects Linux kernels with overlayfs support and user namespaces enabled. The vulnerability allows an unprivileged local user to:
1. Create a user namespace using `unshare(CLONE_NEWUSER)`
2. Mount overlayfs filesystems within the namespace
3. Exploit permission checking flaws to write to `/etc/ld.so.preload`
4. Execute a malicious shared library to gain root privileges
This PoC demonstrates the vulnerability by:
- Using namespace isolation to bypass mount restrictions
- Mounting overlayfs to manipulate system files
- Injecting a custom shared library via `/etc/ld.so.preload`
- Hijacking `getuid()` to execute a root shell
## Affected Systems
- **Ubuntu 14.04 LTS** with kernel versions prior to 3.19.0-21.21
- Systems with:
- User namespaces enabled (`kernel.unprivileged_userns_clone=1`)
- Overlayfs filesystem support
- Unpatched kernel versions
## Requirements
- GCC compiler with 32-bit support
- Linux kernel with user namespaces and overlayfs support
- Appropriate system libraries (`-m32` flag support)
## Building
The project includes a Makefile for easy compilation:
```bash
make
```
This will compile:
- `ofs` - The main exploit binary (static 32-bit)
- `ofs-lib.so` - The shared library for LD_PRELOAD hook (32-bit)
### Manual Compilation
If you prefer to compile manually:
```bash
# Compile main exploit
gcc -o ofs ofs.c -m32 -static
# Compile shared library
gcc -m32 -fPIC -shared -o ofs-lib.so ofs-lib.c -ldl -static-libgcc
```
## Usage
**⚠️ WARNING: This exploit will modify system files and attempt to gain root privileges. Only use in controlled environments with proper authorization.**
1. Compile the exploit:
```bash
make
```
2. Run the exploit:
```bash
./ofs
```
3. If successful, the exploit will:
- Create necessary namespace structures
- Mount overlayfs filesystems
- Write to `/etc/ld.so.preload`
- Execute `/bin/su` which triggers the malicious library
- Spawn a root shell
## How It Works
### Exploit Flow
1. **Namespace Creation**: The exploit creates a new user namespace using `unshare(CLONE_NEWUSER)`
2. **Mount Namespace**: Creates a mount namespace using `clone()` with `CLONE_NEWNS`
3. **Overlayfs Mount**: Mounts overlayfs filesystems to manipulate system directories
4. **File Manipulation**: Uses overlayfs to rename files and write to `/etc/ld.so.preload`
5. **Library Injection**: Writes a malicious shared library to `/tmp/ofs-lib.so`
6. **Privilege Escalation**: Executes `/bin/su`, which triggers the preloaded library
7. **Root Shell**: The library hijacks `getuid()` and spawns a root shell
### Technical Details
- The exploit uses `clone()` with a custom stack to create isolated mount namespaces
- Overlayfs mounts allow file manipulation within the namespace that affects the host
- The shared library (`ofs-lib.so`) hooks `getuid()` via `LD_PRELOAD`
- When `/bin/su` calls `getuid()`, the malicious function is executed instead
## Code Structure
```
.
├── ofs.c # Main exploit code
├── ofs-lib.c # Shared library for privilege escalation
├── lib_so.h # Embedded binary library data
├── Makefile # Build configuration
└── README.md # This file
```
### Key Files
- **ofs.c**: Contains the main exploit logic, namespace creation, and mount operations
- **ofs-lib.c**: Implements the `getuid()` hook that spawns a root shell
- **lib_so.h**: Contains the compiled shared library as a binary array (for embedding)
## Mitigation
To protect against this vulnerability:
1. **Update the kernel** to a patched version (3.19.0-21.21 or later for Ubuntu 14.04)
2. **Disable user namespaces** if not required:
```bash
echo 0 > /proc/sys/kernel/unprivileged_userns_clone
```
3. **Use AppArmor/SELinux** to restrict namespace creation capabilities
4. **Monitor system logs** for suspicious mount operations
## Legal and Ethical Disclaimer
**This code is provided for educational and security research purposes only.**
- Unauthorized use of this exploit against systems without explicit permission is illegal
- This PoC is intended for:
- Security researchers studying kernel vulnerabilities
- System administrators testing their systems' resilience
- Educational purposes in controlled environments
- The authors are not responsible for any misuse of this code
- Always ensure you have proper authorization before testing on any system
## References
- [CVE-2015-1328](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1328)
- [Ubuntu Security Advisory](https://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)
- [Kernel.org Git Commit](https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e9ccd5636a5fb)
- [Cloud Foundry Advisory](https://www.cloudfoundry.org/blog/cve-2015-1328/)
- [Exploit DB Author: rebel](https://www.exploit-db.com/exploits/37292)
## License
This project is provided as-is for educational purposes. Use responsibly and in accordance with all applicable laws and regulations.
[4.0K] /data/pocs/47f8a8ff3880ae56580557b0df45de310c2c3f59
├── [ 44K] lib_so.h
├── [ 819] Makefile
├── [ 47K] ofs.c
├── [ 531] ofs-lib.c
└── [5.3K] README.md
1 directory, 5 files