├── Dockerfile ├── README.md ├── LICENSE └── can-ctr-escape-cve-2022-0492.sh /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:21.04 2 | COPY can-ctr-escape-cve-2022-0492.sh /can-ctr-escape-cve-2022-0492.sh 3 | RUN chmod +x /can-ctr-escape-cve-2022-0492.sh 4 | CMD /can-ctr-escape-cve-2022-0492.sh 5 | # CMD /can-ctr-escape-cve-2022-0492.sh && echo "[*] Sleeping ..." && sleep infinity 6 | 7 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | A container image that tests whether a container enviroment is vulnerable to escapes via CVE-2022-0492. Best to execute under a new container running an image built with: 2 | 3 | ``` 4 | $ cd can-ctr-escape-cve-2022-0492 5 | $ docker build -t can-ctr-escape-cve-2022-0492:latest . 6 | ``` 7 | 8 | A pre-built image is available at `us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest`. 9 | 10 | ### Running in Kubernetes 11 | 12 | ``` 13 | kubectl run --restart Never --rm -it --image=us-central1-docker.pkg.dev/twistlock-secresearch/public/can-ctr-escape-cve-2022-0492:latest test-for-cve-2022-0492 14 | ``` 15 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 Palo Alto Networks 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /can-ctr-escape-cve-2022-0492.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "[*] Testing whether CVE-2022-0492 can be exploited for container escape" 4 | 5 | # Setup test dir 6 | test_dir=/tmp/.cve-2022-0492-test 7 | if ! mkdir -p $test_dir ; then 8 | echo "ERROR: failed to create test directory at $test_dir" 9 | exit 1 10 | fi 11 | 12 | # Test whether escape via CAP_SYS_ADMIN is possible 13 | if mount -t cgroup -o memory cgroup $test_dir >/dev/null 2>&1 ; then 14 | if test -w $test_dir/release_agent ; then 15 | echo "[!] Exploitable: the container can escape as it possesses CAP_SYS_ADMIN and runs without AppArmor or SELinux. Note that it likely doesn't need CVE-2022-0492 to escape." 16 | umount $test_dir && rm -rf $test_dir 17 | exit 0 18 | fi 19 | umount $test_dir 20 | fi 21 | 22 | # Test whether escape via user namespaces is possible 23 | while read -r subsys 24 | do 25 | if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup $test_dir 2>&1 >/dev/null && test -w $test_dir/release_agent" >/dev/null 2>&1 ; then 26 | echo "[!] Exploitable: the container can abuse user namespaces to escape" 27 | rm -rf $test_dir 28 | exit 0 29 | fi 30 | done <<< $(cat /proc/$$/cgroup | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$') 31 | 32 | # Cannot escape via either method 33 | rm -rf $test_dir 34 | echo "[+] Contained: cannot escape via CVE-2022-0492" 35 | --------------------------------------------------------------------------------