How To Add Exploit (CVE-2023-0386 OverlayFS)

[IppSec]

I was hoping to add the somewhat recent OverlayFS Bug, but am having trouble getting this working as I would expect. I think the root of the problem could just be this script doesn't do a great job with Ubuntu's crazy kernel scheme of putting the minor version after a dash.

I added the following:

EXPLOITS[((n++))]=$(cat <<EOF
Name: ${txtgrn}[CVE-2023-0386]${txtrst} OverlayFS FuseFS SetUID Copy
Reqs: pkg=linux-kernel,ver<5.15.70
Tags: ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}
Rank: 1
analysis-url: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
src-url: https://github.com/xkaneiki/CVE-2023-0386
Comments: 
author: vulnerability discovery: Red Hat
EOF
)

But when I run it on my updated VM, it still says highly probable. That being said a lot of other kernel checks say its vulnerable.

uname output:

Linux ubuntu 5.15.0-73-generic #80~20.04.1-Ubuntu SMP Wed May 17 14:58:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

LES Output:

Available information:

Kernel version: 5.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 20.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

82 kernel space exploits
49 user space exploits

Possible Exploits:

[+] [CVE-2023-0386] OverlayFS FuseFS SetUID Copy

   Details: https://securitylabs.datadoghq.com/articles/overlayfs-cve-2023-0386/#check-if-your-system-is-vulnerable
   Exposure: highly probable
   Tags: [ ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*} ]
   Download URL: https://github.com/xkaneiki/CVE-2023-0386

[+] [CVE-2022-2586] nft_object UAF

   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: probable
   Tags: [ ubuntu=(20.04) ]{kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)

[+] [CVE-2022-0847] DirtyPipe

   Details: https://dirtypipe.cm4all.com/
   Exposure: probable
   Tags: [ ubuntu=(20.04|21.04) ],debian=11
   Download URL: https://haxx.in/files/dirtypipez.c

...

If I change the tag so it is not Ubuntu 20.04, the exploit moves from highly probable to less probable. Am I doing it correctly? I figured the

ubuntu=(20.04){kernel:5.15.0-([0-9]-|[0-6][0-9]-|70-)*}

Would not match my uname of 5.15.0-73-generic.

[Buffet-Overflow]

I haven't had the time to look properly where the variables are used (and I could be out of my depth), but could it have something to do with the way the variables are assigned. There are both a short and full version of the variables in the parseUname function.

1866: KERNEL=$(echo "$uname" | awk '{print $3}' | cut -d '-' -f 1)
1867: KERNEL_ALL=$(echo "$uname" | awk '{print $3}')

If its using $KERNEL, the regex would bypass the minor versions and provide false positives.

Linux ubuntu 5.15.0-70-generic #80~20.04.1-Ubuntu SMP Wed May 17 14:58:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Linux ubuntu 5.15.0-73-generic #80~20.04.1-Ubuntu SMP Wed May 17 14:58:14 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

$KERNEL for the uname's above would both be 5.15.0
If $KERNEL_ALL is used then i agree that the regex would only match 5.15.0- from 5.15.0-73-generic

It may well be barking up the wrong tree but it could be worth looking into if your up to date VM still comes back as highly probably. Hopefully its a helpful suggestion, if not - apologies! (:

P.S. Big fan