Skip to content

Exploit: abuse unpriv userns

neargle edited this page Mar 10, 2022 · 1 revision

Exploit: Abuse Unprivileged User Namespace Creation

描述 Description

利用 CVE-2022-0492 进行自动化逃逸。

由于多数发行版默认允许未授权用户创建 User Namespace,可利用此漏洞根据 User Namespace 的 Linux Capabilities 继承规则,当进程创建新的 User Namespace 时,若新 Namespace 下的进程 EUID 和 父 User Namespace 的 EUID 相同,则拥有所有 Linux Capabilities,进而新 Namespace 下进程拥有 CAP_SYS_ADMIN,可在没有 LSM 或 seccomp 的情况下调用 Mount syscall,挂载一个 root cgroup(因为仅有 root cgroup 才存在 release_agent 可供利用),后续利用同 Exploit: mount cgroup

When a user namespace is created, the kernel records the effective user ID of the creating process as being the "owner" of the namespace. A process whose effective user ID matches that of the owner of a user namespace and which is a member of the parent namespace has all capabilities in the namespace. By virtue of the previous rule, those capabilities propagate down into all descendant namespaces as well. This means that after creation of a new user namespace, other processes owned by the same user in the parent namespace have all capabilities in the new namespace.

We abuse the capabilities inheritance rules above (which is CVE-2022-0492) to automatically create a new user namespace via an unprivileged user (which is able to do and default for most modern distros, or if you set kernel.unprivileged_userns_clone=1 ), then new processes which is under the same EUID as the parent one who create new namespace has CAP_SYS_ADMIN. Without limitation of LSM(e.g. AppArmor/SELinux) and seccomp, you can mount a root cgroup, then abuse its release_agent feature to escape.

See Also:

用法 Usage

./cdk run abuse-unpriv-userns "<shell-cmd>" [cgroup-subsystem-name]
# after exploit, the target host will execute user-specified commands in <shell-cmd> arg.

测试案例 Example

警告⚠️ 请在隔离的实验环境下测试! YOU'VE BEEN WARNED THIS EXAMPLE CAN ONLY BE RUN IN STRICTLY ISOLATED LAB ENVIRONMENT.

在使用受影响的内核版本的系统下执行下列命令:

Execute command on host who is running vulnerable kernel:

sysctl -w kernel.unprivileged_userns_clone=1
setenforce 0

使用下列 DockerFile 或任意常规镜像启动容器,注意关闭 SELinux 和 Seccomp:

Use the following DockerFile or any frequently-used Image to boot a container, disable SELinux and Seccomp:

DockerFile:

FROM ubuntu:21.04
LABEL MAINTAINER kmahyyg<[email protected]>

RUN echo "nameserver 223.5.5.5" > /etc/resolv.conf
RUN sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list && \
    apt update -y && \
    apt install -y ca-certificates wget curl nano strace ltrace socat libcap2-bin && \
    rm -rf /var/cache/apt

CMD ["/bin/bash", "-c", "sleep 9999"]

使用下列附加参数启动容器并接入 Shell:

Use the following extended params to boot a new container and get a shell inside:

--security-opt "seccomp=unconfined" --security-opt "apparmor=unconfined"

容器内部运行 CDK 工具,

Run CDK inside the container:

./cdk run abuse-unpriv-userns "touch /root/hacked"

看到宿主机存在 /root/hacked 即为攻击成功,攻击者可在宿主机执行任意命令。

When you see /root/hacked on host, which means exploit successfully, you could execute any command on host as you wanted.

CleanShot 2022-03-10 at 02 00 34@2x

Test

Robustness of validating user input:

CleanShot 2022-03-10 at 12 50 34@2x

Auto detection of available cgroup:

Detect misc:

CleanShot 2022-03-10 at 12 59 22@2x

Detect rdma:

CleanShot 2022-03-10 at 13 14 52@2x

mount-cgroup working:

CleanShot 2022-03-10 at 13 02 35@2x

mount-cgroup blkio with privileged container working:

CleanShot 2022-03-10 at 13 05 14@2x
Clone this wiki locally