forked from PaloAltoNetworks/can-ctr-escape-cve-2022-0492
-
Notifications
You must be signed in to change notification settings - Fork 0
/
can-ctr-escape-cve-2022-0492.sh
executable file
·34 lines (29 loc) · 1.14 KB
/
can-ctr-escape-cve-2022-0492.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#!/bin/bash
echo "[*] Testing whether CVE-2022-0492 can be exploited for container escape"
# Setup test dir
test_dir=/tmp/.cve-2022-0492-test
if ! mkdir -p $test_dir ; then
echo "ERROR: failed to create test directory at $test_dir"
exit 1
fi
# Test whether escape via CAP_SYS_ADMIN is possible
if mount -t cgroup -o memory cgroup $test_dir >/dev/null 2>&1 ; then
if test -w $test_dir/release_agent ; then
echo "[!] Exploitable: the container can escape as it runs with CAP_SYS_ADMIN"
umount $test_dir && rm -rf $test_dir
exit 0
fi
umount $test_dir
fi
# Test whether escape via user namespaces is possible
while read -r subsys
do
if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup $test_dir 2>&1 >/dev/null && test -w $test_dir/release_agent" >/dev/null 2>&1 ; then
echo "[!] Exploitable: the container can abuse user namespaces to escape"
rm -rf $test_dir
exit 0
fi
done <<< $(cat /proc/$$/cgroup | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$')
# Cannot escape via either method
rm -rf $test_dir
echo "[+] Contained: cannot escape via CVE-2022-0492"