-
Notifications
You must be signed in to change notification settings - Fork 530
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492 #41
Conversation
co-operate with PR #40. Use `reexec` technique to let a multi-thread program (such as this golang program) runs in a different new namespace. Why `reexec`? `unshare()` is not possible to use safely in multi-thread program, especially current circumstance. Check comments in code for more details. Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
Please use affected kernel version. Advisory by Canonical: https://ubuntu.com/security/CVE-2022-0492 Test environment: Dockerfile: FROM ubuntu:21.04
LABEL MAINTAINER kmahyyg<16604643+kmahyyg@users.noreply.github.com>
RUN echo "nameserver 223.5.5.5" > /etc/resolv.conf
RUN sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list && \
apt update -y && \
apt install -y ca-certificates wget curl nano socat libcap2-bin && \
rm -rf /var/cache/apt
CMD ["/bin/bash", "-c", "sleep 9999"] Run: #!/bin/bash
sysctl -w kernel.unprivileged_userns_clone=1
setenforce 0
cnt1=$(docker run -d --rm -v $(pwd)/cdkbin:/cdkbin --security-opt "seccomp=unconfined" --security-opt "apparmor=unconfined" cve-2022-0492:latest)
echo $cnt1
echo "Container created. Try Exec."
docker exec -it $cnt1 bash |
Wiki Content Below: title: Exploit: abuse-unpriv-usernsExploit: Abuse Unprivileged User Namespace Creation描述 Description利用 CVE-2022-0492 进行自动化逃逸。 由于多数发行版默认允许未授权用户创建 User Namespace,可利用此漏洞根据 User Namespace 的 Linux Capabilities 继承规则,当进程创建新的 User Namespace 时,若新 Namespace 下的进程 EUID 和 父 User Namespace 的 EUID 相同,则拥有所有 Linux Capabilities,进而新 Namespace 下进程拥有
We abuse the capabilities inheritance rules above (which is CVE-2022-0492) to automatically create a new user namespace via an unprivileged user (which is able to do and default for most modern distros, or if you set See Also:
用法 Usage
测试案例 Example警告 在使用受影响的内核版本的系统下执行下列命令: Execute command on host who is running vulnerable kernel:
使用下列 DockerFile 或任意常规镜像启动容器,注意关闭 SELinux 和 Seccomp: Use the following DockerFile or any frequently-used Image to boot a container, disable SELinux and Seccomp: DockerFile:
使用下列附加参数启动容器并接入 Shell: Use the following extended params to boot a new container and get a shell inside:
容器内部运行 CDK 工具, Run CDK inside the container:
看到宿主机存在 When you see |
Binary: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome! But the cve number is wrong, I think you mean CVE-2022-0492. In my cognition, cve-2022-0492: not only RDMA is available for exploit, misc maybe also.
Anyway, the code is nice~
Sorry, the CVE number in wiki thread is fixed also PR title. |
Please do not merge it until I test
My testing environment runs Linux 5.4 (Ubuntu 20.04). I will test it on my Arch Linux. |
OK o( ̄▽ ̄)👍 |
… subsystem for exploit CVE-2022-0492 Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
Please check and merge. Thanks. |
Binary: |
co-operate with PR #40.
Use
reexec
technique to let a multi-thread program (such as this golang program) runs in a different new namespace.Why
reexec
?unshare()
is not possible to use safely in multi-thread program, especially current circumstance. Check comments in code for more details.Signed-off-by: kmahyyg 16604643+kmahyyg@users.noreply.github.com