Listen to this Post
The vulnerability exploits Incus’s handling of custom storage volumes with security.shifted=true. An unprivileged user with root access inside a container can create such a volume. By writing a setuid binary to this volume from within the container, the file becomes accessible on the host filesystem. Because the directory permissions for the storage pool were overly permissive (e.g., 0755), the unprivileged user on the host can execute this planted setuid binary. This binary runs with root privileges on the host, leading to a full privilege escalation from an unprivileged user to root.
Platform: Incus
Version: pre-6.7
Vulnerability: Privilege Escalation
Severity: Critical
date: 2024-XX-XX
Prediction: Patch 2024-06-15
What Undercode Say:
find /var/lib/incus/storage-pools/ -type d -perm 0755 chmod 0700 /var/lib/incus/storage-pools// chmod 0711 /var/lib/incus/storage-pools//buckets chmod 0711 /var/lib/incus/storage-pools//container
How Exploit:
Create shifted volume.
Plant setuid binary.
Execute from host.
Protection from this CVE:
Apply patch.
Run workaround commands.
Restrict user access.
Impact:
Host root compromise.
Full system control.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
