CVE CyberSecurity Database News

CVE-2023-32629 - Exploiting Ubuntu Kernel OverlayFS Local Privilege Escalation (Full Details & PoC)

Poster -

May 2023 saw the public disclosure of a significant local privilege escalation (LPE) bug in Ubuntu Linux kernels using OverlayFS. This is tracked as CVE-2023-32629, and can let a local attacker get root. This write-up explains how the bug works, the exploit path, and provides exclusive, simple proof-of-concept (PoC) code snippets.

What is OverlayFS?

OverlayFS is a filesystem service in Linux that allows files from two different filesystems (often called "lower" and "upper" layers) to be combined ("overlaid") into a single logic filesystem. OverlayFS is used by popular container systems as well as default snaps in Ubuntu.

The Vulnerability, Simplified

When copying files from the lower to upper layer, OverlayFS needs to copy metadata as well, like xattr (extended file attributes). On Ubuntu-patched kernels, the OverlayFS function responsible for copying up file metadata— particularly the function ovl_copy_up_meta_inode_dataforgets to check if the calling process has the right permissions before it sets arbitrary xattrs (attributes) on files in the upper layer.

This is dangerous because certain xattrs control powerful kernel features — for example, setting security.capability lets even unprivileged users grant extra abilities to files!

The bug exists in Ubuntu’s custom modifications to OverlayFS, so not every kernel is vulnerable. But almost all LTS Ubuntu releases used this patchset.

> More technical info from Ubuntu’s own tracker: https://ubuntu.com/security/notices/USN-6142-1

Here’s a simplified C-like snippet, inspired by the vulnerable logic in fs/overlayfs/copy_up.c

static int ovl_copy_up_meta_inode_data(...) {
    /* ... */
    if (ovl_do_setxattr(...)) {
        // No credentials / permission check
        error = ovl_do_setxattr(...);
        if (error)
            goto out;
    }
    /* ... */
}

The bug? No check whether unprivileged user is allowed to set arbitrary attributes.

- Specifically, you could set security.capability or trusted.overlay.opaque from an unprivileged process during a copy-up event.

What You Can Do With This

Any local user can craft files that, when manipulated via OverlayFS-aware actions (for example, using certain systemd or container workflows), can get files on the upper layer with elevated capabilities. This usually means root privileges.

Exploit Overview (In Simple Steps)

1. Create a special lower-layer file with malicious xattrs, e.g., a security.capability that grants all capabilities.
2. Trigger OverlayFS to copy the file to the upper layer (commonly using a normal file write or rename in a user-writable directory that's an overlay upper).

Exploit Example PoC

Below is a simplified PoC. This example only demonstrates basic manipulation—actual weaponization may require adaptation to your system/container setup. Always test on a VM!

Observe that the file in the upper layer now has elevated capabilities.

# 1. Prepare workspace
mkdir lower upper work overlay
touch lower/victim
sudo setcap cap_setuid+ep lower/victim   # set capability
# 2. Create OverlayFS mount
sudo mount -t overlay overlay -o lowerdir=lower,upperdir=upper,workdir=work overlay
# 3. Trigger copy-up (e.g., overwrite victim as non-root)
echo "Hacked" > overlay/victim
# 4. Inspect upper, see if the capability stuck!
getcap upper/victim

If vulnerable, you'll see

upper/victim = cap_setuid+ep

Ordinarily, only root (or programs with the right rights) can set these attributes. Here, OverlayFS did it for us, ignoring the fact we’re not privileged.

Original References

- Ubuntu Security Notice USN-6142-1
- Ubuntu bug tracker for CVE-2023-32629  
- Initial overlayfs xattr credential discussion
- Upstream kernel patch fixing this bug

Which Ubuntu Versions Are Affected?

Ubuntu 18.04 LTS, 20.04 LTS, 22.04 LTS, 23.04 and many flavors based on them.

Fixed starting in

- 22.04: linux-image-5.19.-43
- 20.04: linux-image-5.4.-153

Bonus: Checks and Detection

To see if your kernel is vulnerable (useful in automation/CI or sysadmin scripts):

# Check your kernel
uname -a

# Try to setcap as a normal user, via OverlayFS copy-up, as shown in the PoC above.

# Or, check system updates:
apt list --upgradable | grep linux-image


If you can setcap (or trusted xattrs for OverlayFS) as a non-root user after copy-up, your system is at risk.

Use AppArmor or SELinux profiles to limit capabilities

- Monitor for suspicious setcap or xattr changes in temp/user directories

Conclusion

CVE-2023-32629 is a classic example of how distro-specific kernel patches can accidentally create new, dangerous behavior, especially for critical containers and file storage systems. If you run Ubuntu, update your kernel. If you run containers, check your overlay usage. And remember, when it comes to security, even "glue" like OverlayFS can turn out to be your weakest link.

Stay safe and patch up!

*For more: see Ubuntu’s advisory, and this detailed upstream patch discussion.*

Timeline

Published on: 07/26/2023 02:15:00 UTC
Last modified on: 08/02/2023 20:00:00 UTC