├── LICENSE ├── README.md ├── README_ZH.md ├── container-escape-check.sh └── img.png /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 TeamsSix 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Container Escape Check 容器逃逸检测 2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/teamssix/container-escape-check)](https://github.com/teamssix/container-escape-check) [![GitHub issues](https://img.shields.io/github/issues/teamssix/container-escape-check)](https://github.com/teamssix/container-escape-check/issues) [![GitHub release](https://img.shields.io/github/release/teamssix/container-escape-check)](https://github.com/teamssix/container-escape-check/releases) [![img](https://img.shields.io/badge/author-TeamsSix-blueviolet)](https://github.com/teamssix) [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/teamssix.svg?style=social&label=Follow%20the%20author)](https://twitter.com/teamssix) 4 | 5 | ![container-escape-check](https://socialify.git.ci/teamssix/container-escape-check/image?description=1&font=Inter&forks=1&issues=1&language=1&logo=https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F49087564&owner=1&pattern=Circuit%20Board&pulls=1&stargazers=1&theme=Dark) 6 | 7 | [中文](https://github.com/teamssix/container-escape-check/blob/master/README_ZH.md) | EN 8 | 9 | # Introduce 10 | 11 | This script is used to detect Docker container escape methods, The following methods are currently supported: 12 | 13 | 1. Privileged Mode 14 | 2. Mount docker Socket 15 | 3. Mount host procfs 16 | 4. Mount host root or etc directory 17 | 5. Open Docker Remote API 18 | 6. CVE-2016-5195 DirtyCow 19 | 7. CVE-2020-14386 20 | 8. CVE-2022-0847 DirtyPipe 21 | 8. CVE-2017-1000112 22 | 8. CVE-2021-22555 23 | 8. Mount Host Var Log 24 | 8. CAP_DAC_READ_SEARCH (Requires container to support capsh command) 25 | 8. CAP_SYS_ADMIN (Requires container to support capsh command) 26 | 8. CAP_SYS_PTRACE (Requires container to support capsh command) 27 | 8. CVE-2022-0492 28 | 29 | # ✨ Usage 30 | 31 | Run this script with one command in the container. 32 | 33 | ``` 34 | wget https://raw.githubusercontent.com/teamssix/container-escape-check/main/container-escape-check.sh -O- | bash 35 | ``` 36 | 37 | Or clone the project to run in the container. 38 | 39 | ``` 40 | git clone https://github.com/teamssix/container-escape-check.git 41 | cd container-escape-check 42 | chmod +x container-escape-check.sh 43 | ./container-escape-check.sh 44 | ``` 45 | 46 | ![](./img.png) 47 | 48 | If it feels good, remember to give the project a little star ✨ 49 | 50 | # ⚠️ Notes 51 | 52 | * This script needs to be run inside the docker container. 53 | * Most of the detection methods here are based on my experience, and there may be false positives or omissions. If you find these problems, please submit an Issue. 54 | * Some escape methods need to be judged according to the Docker version. I haven't thought of a way to get the Docker version from inside the container, so the script does not support the detection of this method yet. 55 | 56 | # Changelog 57 | 58 | ## v0.3 2022.4.7 59 | 60 | * Add CVE-2022-0492 61 | * If the capsh command does not exist, it will be installed automatically 62 | * Enhanced privileged mode detection 63 | * Enhanced /var/log detection 64 | 65 | ## v0.2 2022.3.30 66 | 67 | * Add CVE-2017-1000112 68 | * Add CVE-2021-22555 69 | * Add Mount Host Var Log 70 | * Add CAP_DAC_READ_SEARCH 71 | * Add CAP_SYS_ADMIN 72 | * Add CAP_SYS_PTRACE 73 | 74 | ## v0.1 2022.3.18 75 | 76 | * Add Privileged Mode 77 | * Add Mount docker Socket 78 | * Add Mount host procfs 79 | * Add Mount host root or etc directory 80 | * Add Open Docker Remote API 81 | * Add CVE-2016-5195 DirtyCow 82 | * Add CVE-2020-14386 83 | * Add CVE-2022-0847 DirtyPipe 84 | 85 | ![img](https://cdn.jsdelivr.net/gh/teamssix/BlogImages/imgs/TeamsSix_Subscription_Logo2.png) 86 | -------------------------------------------------------------------------------- /README_ZH.md: -------------------------------------------------------------------------------- 1 | # Container Escape Check 容器逃逸检测 2 | 3 | [![GitHub stars](https://img.shields.io/github/stars/teamssix/container-escape-check)](https://github.com/teamssix/container-escape-check) [![GitHub issues](https://img.shields.io/github/issues/teamssix/container-escape-check)](https://github.com/teamssix/container-escape-check/issues) [![GitHub release](https://img.shields.io/github/release/teamssix/container-escape-check)](https://github.com/teamssix/container-escape-check/releases) [![img](https://img.shields.io/badge/author-TeamsSix-blueviolet)](https://github.com/teamssix) [![Twitter](https://img.shields.io/twitter/url/https/twitter.com/teamssix.svg?style=social&label=Follow%20the%20author)](https://twitter.com/teamssix) 4 | 5 | ![container-escape-check](https://socialify.git.ci/teamssix/container-escape-check/image?description=1&font=Inter&forks=1&issues=1&language=1&logo=https%3A%2F%2Favatars.githubusercontent.com%2Fu%2F49087564&owner=1&pattern=Circuit%20Board&pulls=1&stargazers=1&theme=Dark) 6 | 7 | 中文 | [EN](https://github.com/teamssix/container-escape-check/blob/master/README.md) 8 | 9 | # 介绍 10 | 11 | 这个脚本用来检测 Docker 容器中的逃逸方法,目前支持以下几种方法: 12 | 13 | 1. 容器处于特权模式 14 | 2. 挂载了 Docker Socket 15 | 3. 挂载了宿主机 Procfs 16 | 4. 挂载了宿主机根或者宿主机 etc 目录 17 | 5. 开启了 Docker 远程 API 访问接口 18 | 6. CVE-2016-5195 DirtyCow 脏牛漏洞 19 | 7. CVE-2020-14386 20 | 8. CVE-2022-0847 DirtyPipe 21 | 9. CVE-2017-1000112 22 | 10. CVE-2021-22555 23 | 11. pod 挂载了宿主机 /var/log 目录 24 | 12. 当前容器有 CAP_DAC_READ_SEARCH 权限(需要容器支持 capsh 命令) 25 | 13. 当前容器有 CAP_SYS_ADMIN 权限(需要容器支持 capsh 命令) 26 | 14. 当前容器有 CAP_SYS_PTRACE 权限(需要容器支持 capsh 命令) 27 | 14. CVE-2022-0492 28 | 29 | # ✨ 使用 30 | 31 | 在 Docker 容器中一键运行: 32 | 33 | ``` 34 | wget https://raw.githubusercontent.com/teamssix/container-escape-check/main/container-escape-check.sh -O- | bash 35 | ``` 36 | 37 | 或者克隆项目到容器中运行: 38 | 39 | ``` 40 | git clone https://github.com/teamssix/container-escape-check.git 41 | cd container-escape-check 42 | chmod +x container-escape-check.sh 43 | ./container-escape-check.sh 44 | ``` 45 | 46 | ![](./img.png) 47 | 48 | 如果感觉还不错,记得给项目点个小星星(star) ✨ 49 | 50 | # ⚠️ 注意: 51 | 52 | * 这个脚本需要在 Docker 容器中运行 53 | * 这里的检测方法大多是基于我自己的经验,可能会存在检测误检或者漏检的情况,如果您发现了这种情况,欢迎提 Issue 54 | * 由于有的逃逸方法需要根据目标 Docker 的版本去判断,这里我暂时还没想到从容器内部获取 Docker 版本的方法,因此脚本暂时还不支持这块儿的检测。 55 | 56 | # 更新日志 57 | 58 | ## v0.3 2022.4.7 59 | 60 | - 添加了 CVE-2022-0492 61 | - 如果不存在 capsh 命令则会自动安装 62 | - 增强了特权模式检测 63 | - 增强了 /var/log 检测 64 | 65 | ## v0.2 2022.3.30 66 | 67 | * 添加了 CVE-2017-1000112 68 | * 添加了 CVE-2021-22555 69 | * 添加了 Mount Host Var Log 70 | * 添加了 CAP_DAC_READ_SEARCH 71 | * 添加了 CAP_SYS_ADMIN 72 | * 添加了 CAP_SYS_PTRACE 73 | 74 | ## v0.1 2022.3.18 75 | 76 | * 添加了 Privileged Mode 77 | * 添加了 Mount docker Socket 78 | * 添加了 Mount host procfs 79 | * 添加了 Mount host root or etc directory 80 | * 添加了 Open Docker Remote API 81 | * 添加了 CVE-2016-5195 DirtyCow 82 | * 添加了 CVE-2020-14386 83 | * 添加了 CVE-2022-0847 DirtyPipe 84 | 85 | ![img](https://cdn.jsdelivr.net/gh/teamssix/BlogImages/imgs/TeamsSix_Subscription_Logo2.png) 86 | -------------------------------------------------------------------------------- /container-escape-check.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | 4 | echo -e "" 5 | echo -e "\033[34m=============================================================\033[0m" 6 | echo -e "\033[34m Containers Escape Check v0.3 \033[0m" 7 | echo -e "\033[34m-------------------------------------------------------------\033[0m" 8 | echo -e "\033[34m Author: TeamsSix \033[0m" 9 | echo -e "\033[34m Twitter: TeamsSix \033[0m" 10 | echo -e "\033[34m Blog: teamssix.com \033[0m" 11 | echo -e "\033[34m WeChat Official Accounts: TeamsSix \033[0m" 12 | echo -e "\033[34m Project Address: github.com/teamssix/container-escape-check \033[0m" 13 | echo -e "\033[34m=============================================================\033[0m" 14 | echo -e "" 15 | 16 | # Supported detection methods: 17 | # 18 | # 1. Privileged Mode 19 | # 2. Mount Docker Socket 20 | # 3. Mount Procfs 21 | # 4. Mount Root Directory 22 | # 5. Open Docker Remote API 23 | # 6. CVE-2016-5195 DirtyCow 24 | # 7. CVE-2020-14386 25 | # 8. CVE-2022-0847 DirtyPipe 26 | # 9. CVE-2017-1000112 27 | # 10. CVE-2021-22555 28 | # 11. Mount Host Var Log 29 | # 12. CAP_DAC_READ_SEARCH 30 | # 13. CAP_SYS_ADMIN 31 | # 14. CAP_SYS_PTRACE 32 | # 15. CVE-2022-0492 33 | 34 | 35 | CheckCommandExists(){ 36 | $1 >/dev/null 2>&1 37 | ret=$? 38 | if [ "$ret" -eq 0 ]; then 39 | return 1 40 | fi 41 | return 0 42 | } 43 | 44 | 45 | # Install command 46 | InstallCommand(){ 47 | # install command if not present 48 | CheckCommandExists $1 49 | if [ $? -eq 0 ]; then 50 | # Check network 51 | timeout 3 bash -c "echo -e >/dev/tcp/baidu.com/80" > /dev/null 2>&1 && IsNetWork=1 || IsNetWork=0 52 | if [ $IsNetWork -eq 1 ];then 53 | echo -e "\033[93m[!] It is detected that the $1 command does not exist in the current system, and the command is being installed.\033[0m" 54 | 55 | CheckCommandExists sudo 56 | if [ $? -eq 0 ]; then 57 | CheckCommandExists apt-get 58 | if [ $? -eq 0 ];then 59 | if [ "$1" = "capsh" ];then 60 | apt-get -y update >/dev/null 2>&1 && apt-get install -y libcap2-bin >/dev/null 2>&1 61 | else 62 | apt-get -y update >/dev/null 2>&1 && apt-get install -y $1 >/dev/null 2>&1 63 | fi 64 | fi 65 | CheckCommandExists yum 66 | if [ $? -eq 0 ];then 67 | if [ "$1" = "capsh" ];then 68 | yum -y update >/dev/null 2>&1 && yum install -y libcap >/dev/null 2>&1 69 | else 70 | yum -y update >/dev/null 2>&1 && yum install -y $1 >/dev/null 2>&1 71 | fi 72 | fi 73 | else 74 | CheckCommandExists apt-get 75 | if [ $? -eq 0 ];then 76 | if [ "$1" = "capsh" ];then 77 | sudo apt-get -y update >/dev/null 2>&1 && apt-get install -y libcap2-bin >/dev/null 2>&1 78 | else 79 | sudo apt-get -y update >/dev/null 2>&1 && apt-get install -y $1 >/dev/null 2>&1 80 | fi 81 | fi 82 | CheckCommandExists yum 83 | if [ $? -eq 0 ];then 84 | if [ "$1" = "capsh" ];then 85 | sudo yum -y update >/dev/null 2>&1 && yum install -y libcap >/dev/null 2>&1 86 | else 87 | sudo yum -y update >/dev/null 2>&1 && yum install -y $1 >/dev/null 2>&1 88 | fi 89 | fi 90 | fi 91 | CheckCommandExists $1 92 | if [ $? -eq 0 ]; then 93 | echo -e "\033[93m[!] $1 command installation failed.\033[0m" 94 | else 95 | echo -e "\033[93m[!] $1 command installation completed.\033[0m" 96 | fi 97 | fi 98 | fi 99 | } 100 | 101 | 102 | # 0. Check The Current Environment 103 | CheckTheCurrentEnvironment(){ 104 | if [ ! -f "/proc/1/cgroup" ];then 105 | IsContainer=0 106 | else 107 | cat /proc/1/cgroup | grep -qi docker && IsContainer=1 || IsContainer=0 108 | fi 109 | 110 | if [ $IsContainer -eq 0 ];then 111 | echo -e "\033[31m[-] Not currently a container environment.\033[0m" 112 | exit 1 113 | else 114 | echo -e "\033[33m[!] Currently in a container, checking ......\033[0m" 115 | VulnerabilityExists=0 116 | fi 117 | } 118 | 119 | 120 | # 1. Check Privileged Mode 121 | CheckPrivilegedMode(){ 122 | if [ ! -f "/proc/self/status" ];then 123 | IsPrivilegedMode=0 124 | else 125 | cat /proc/self/status | grep -qi "0000003fffffffff" && IsPrivilegedMode=1 || IsPrivilegedMode=0 126 | cat /proc/self/status | grep -qi "0000001fffffffff" && IsPrivilegedMode=1 || IsPrivilegedMode=0 127 | fi 128 | 129 | if [ $IsPrivilegedMode -eq 1 ];then 130 | echo -e "\033[92m[+] The current container is in privileged mode.\033[0m" 131 | VulnerabilityExists=1 132 | fi 133 | 134 | } 135 | 136 | 137 | # 2. Check Docker Socket Mount 138 | CheckDockerSocketMount(){ 139 | if [ ! -f "/var/run/docker.sock" ];then 140 | IsDockerSocketMount=0 141 | else 142 | ls /var/run/ | grep -qi docker.sock && IsDockerSocketMount=1 || IsDockerSocketMount=0 143 | fi 144 | 145 | if [ $IsDockerSocketMount -eq 1 ];then 146 | echo -e "\033[92m[+] The current container has docker socket mounted.\033[0m" 147 | VulnerabilityExists=1 148 | fi 149 | } 150 | 151 | 152 | # 3. Check Procfs Mount 153 | CheckProcfsMount(){ 154 | 155 | find / -name core_pattern 2>/dev/null | wc -l | grep -q 2 && IsProcfsMount=1 || IsProcfsMount=0 156 | 157 | if [ $IsProcfsMount -eq 1 ];then 158 | echo -e "\033[92m[+] The current container has procfs mounted.\033[0m" 159 | VulnerabilityExists=1 160 | fi 161 | } 162 | 163 | 164 | # 4. Check Root Directory Mount 165 | CheckRootDirectoryMount(){ 166 | 167 | find / -name passwd 2>/dev/null | grep /etc/passwd | wc -l | grep -q 7 && IsRootDirectoryMount=1 || IsRootDirectoryMount=0 168 | 169 | if [ $IsRootDirectoryMount -eq 1 ];then 170 | echo -e "\033[92m[+] The current container has root directory mounted.\033[0m" 171 | VulnerabilityExists=1 172 | fi 173 | } 174 | 175 | 176 | # 5. Check Docker Remote API 177 | CheckDockerRemoteAPI(){ 178 | InstallCommand hostname 179 | for PORT in "2375" "2376" 180 | do 181 | IP=`hostname -i | awk -F. '{print $1 "." $2 "." $3 ".1"}' ` && timeout 3 bash -c "echo -e >/dev/tcp/$IP/$PORT" > /dev/null 2>&1 && DockerRemoteAPIIsEnabled=1 || DockerRemoteAPIIsEnabled=0 182 | if [ $DockerRemoteAPIIsEnabled -eq 1 ];then 183 | echo -e "\033[92m[+] The Docker Remote API for the current container is enabled.\033[0m" 184 | VulnerabilityExists=1 185 | fi 186 | done 187 | } 188 | 189 | 190 | LinuxKernelVersion=`uname -r | awk -F '-' '{print $1}'` 191 | KernelVersion=`echo -e $LinuxKernelVersion | awk -F '.' '{print $1}'` 192 | MajorRevision=`echo -e $LinuxKernelVersion | awk -F '.' '{print $2}'` 193 | MinorRevision=`echo -e $LinuxKernelVersion | awk -F '.' '{print $3}'` 194 | 195 | 196 | # 6. Check CVE-2016-5195 DirtyCow 197 | # 2.6.22 <= ver <= 4.8.3 198 | CheckCVE_2016_5195DirtyCow(){ 199 | # 2.6.22 <= ver <= 2.6.xx 200 | if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -eq 6 && "$MinorRevision" -ge 22 ]];then 201 | echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" 202 | VulnerabilityExists=1 203 | fi 204 | 205 | # 2.7 <= ver <= 2.x 206 | if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -ge 7 ]];then 207 | echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" 208 | VulnerabilityExists=1 209 | fi 210 | 211 | # ver = 3 212 | if [[ "$KernelVersion" -eq 3 ]];then 213 | echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" 214 | VulnerabilityExists=1 215 | fi 216 | 217 | # 4.x <= ver <= 4.8 218 | if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -lt 8 ]];then 219 | echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" 220 | VulnerabilityExists=1 221 | fi 222 | 223 | # 4.8.x <= ver <= 4.8.3 224 | if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -eq 8 && "$MinorRevision" -le 3 ]];then 225 | echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" 226 | VulnerabilityExists=1 227 | fi 228 | } 229 | 230 | 231 | # 7. CVE-2020-14386 232 | # 4.6 <= ver < 5.9 233 | CheckCVE_2020_14386(){ 234 | # 4.6 <= ver < 4.x 235 | if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -ge 6 ]];then 236 | echo -e "\033[92m[+] The current container has the CVE-2020-14386 vulnerability.\033[0m" 237 | VulnerabilityExists=1 238 | fi 239 | 240 | # 5.x <= ver < 5.9 241 | if [[ $KernelVersion -eq 5 && $MajorRevision -lt 9 ]];then 242 | echo -e "\033[92m[+] The current container has the CVE-2020-14386 vulnerability.\033[0m" 243 | VulnerabilityExists=1 244 | fi 245 | } 246 | 247 | 248 | # 8. CVE-2022-0847 DirtyPipe 249 | # 5.8 <= ver < 5.10.102 < ver < 5.15.25 < ver < 5.16.11 250 | CheckCVE_2022_0847(){ 251 | if [ $KernelVersion -eq 5 ];then 252 | # 5.8 <= ver < 5.10.x 253 | if [[ "$MajorRevision" -ge 8 && "$MajorRevision" -lt 10 ]];then 254 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 255 | VulnerabilityExists=1 256 | fi 257 | # 5.10.x <= ver < 5.10.102 258 | if [[ "$MajorRevision" -eq 10 && "$MinorRevision" -lt 102 ]];then 259 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 260 | VulnerabilityExists=1 261 | fi 262 | # 5.10.102 < ver <= 5.10.x 263 | if [[ "$MajorRevision" -eq 10 && "$MinorRevision" -gt 102 ]];then 264 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 265 | VulnerabilityExists=1 266 | fi 267 | 268 | # 5.10.x < ver < 5.15.x 269 | if [[ "$MajorRevision" -gt 10 && "$MajorRevision" -lt 15 ]];then 270 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 271 | VulnerabilityExists=1 272 | fi 273 | 274 | # 5.15.x <= ver < 5.15.25 275 | if [[ "$MajorRevision" -eq 15 && "$MinorRevision" -lt 25 ]];then 276 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 277 | VulnerabilityExists=1 278 | fi 279 | # 5.15.25 < ver <= 5.15.x 280 | if [[ "$MajorRevision" -eq 15 && "$MinorRevision" -gt 25 ]];then 281 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 282 | VulnerabilityExists=1 283 | fi 284 | 285 | # 5.16.x <= ver < 5.16.11 286 | if [[ "$MajorRevision" -eq 16 && "$MinorRevision" -lt 11 ]];then 287 | echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" 288 | VulnerabilityExists=1 289 | fi 290 | fi 291 | } 292 | 293 | 294 | # 9. CVE-2017-1000112 295 | # 4.4 <= ver<=4.13 296 | CheckCVE_2017_1000112(){ 297 | # 4.4 <= ver <= 4.13 298 | if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -ge 4 && "$MajorRevision" -le 13 ]];then 299 | echo -e "\033[92m[+] The current container has the CVE-2017-1000112 vulnerability.\033[0m" 300 | VulnerabilityExists=1 301 | fi 302 | } 303 | 304 | 305 | # 10. CVE-2021-22555 306 | # 2.6.19 <= ver <= 5.12 307 | CheckCVE_2021_22555(){ 308 | # 2.6.19 <= ver <= 2.6.xx 309 | if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -eq 6 && "$MinorRevision" -ge 19 ]];then 310 | echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" 311 | VulnerabilityExists=1 312 | fi 313 | # 2.7 <= ver <= 2.x 314 | if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -ge 7 ]];then 315 | echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" 316 | VulnerabilityExists=1 317 | fi 318 | 319 | # ver = 3 or ver = 4 320 | if [[ "$KernelVersion" -eq 3 || "$KernelVersion" -eq 4 ]];then 321 | echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" 322 | VulnerabilityExists=1 323 | fi 324 | 325 | # 5.x <= ver <= 5.12 326 | if [[ $KernelVersion -eq 5 && $MajorRevision -le 12 ]];then 327 | echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" 328 | VulnerabilityExists=1 329 | fi 330 | } 331 | 332 | 333 | # 11. Mount Host Var Log 334 | CheckVarLogMount(){ 335 | if [ ! -f "/var/run/secrets/kubernetes.io/serviceaccount/token" ];then 336 | IsPodEnv=0 337 | else 338 | IsPodEnv=1 339 | fi 340 | if [ $IsPodEnv -eq 1 ];then 341 | find / -name lastlog 2>/dev/null | wc -l | grep -q 3 && IsVarLogMount=1 || IsVarLogMount=0 342 | if [ $IsVarLogMount -eq 1 ];then 343 | echo -e "\033[92m[+] The current container has /var/log mounted.\033[0m" 344 | VulnerabilityExists=1 345 | fi 346 | fi 347 | } 348 | 349 | 350 | # 12. Check CAP_DAC_READ_SEARCH 351 | ChekckCAP_DAC_READ_SEARCH(){ 352 | if command -v capsh >/dev/null 2>&1; then 353 | cap_dac_read_searchNum=`capsh --print | grep cap_dac_read_search | wc -l` 354 | if [ $cap_dac_read_searchNum -gt 0 ];then 355 | echo -e "\033[92m[+] The current container has the CAP_DAC_READ_SEARCH permission.\033[0m" 356 | VulnerabilityExists=1 357 | fi 358 | fi 359 | } 360 | 361 | 362 | # 13. Check CAP_SYS_ADMIN 363 | CheckCAP_SYS_ADMIN(){ 364 | if command -v capsh >/dev/null 2>&1; then 365 | cap_sys_adminNum=`capsh --print | grep cap_sys_admin | wc -l` 366 | if [ $cap_sys_adminNum -gt 0 ];then 367 | echo -e "\033[92m[+] The current container has the CAP_SYS_ADMIN permission.\033[0m" 368 | VulnerabilityExists=1 369 | fi 370 | fi 371 | } 372 | 373 | 374 | # 14. Check CAP_SYS_PTRACE 375 | CheckCAP_SYS_PTRACE(){ 376 | if command -v capsh >/dev/null 2>&1; then 377 | cap_sys_ptraceNum=`capsh --print | grep cap_sys_ptrace | wc -l` 378 | if [ $cap_sys_ptraceNum -gt 0 ];then 379 | echo -e "\033[92m[+] The current container has the CAP_SYS_PTRACE permission.\033[0m" 380 | VulnerabilityExists=1 381 | fi 382 | fi 383 | } 384 | 385 | 386 | # 15. Check CVE-2022-0492, Code By https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492/blob/main/can-ctr-escape-cve-2022-0492.sh 387 | CheckCVE_2022_0492(){ 388 | # Setup test dir 389 | test_dir=/tmp/.cve-2022-0492-test 390 | if mkdir -p $test_dir ; then 391 | # Test whether escape via user namespaces is possible 392 | while read -r subsys 393 | do 394 | if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup $test_dir 2>&1 >/dev/null && test -w $test_dir/release_agent" >/dev/null 2>&1 ; then 395 | echo -e "\033[92m[+] The current container has the CVE-2022-0492 vulnerability.\033[0m" 396 | fi 397 | done <<< $(cat /proc/$$/cgroup | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$') 398 | umount $test_dir >/dev/null 2>&1 && rm -rf $test_dir >/dev/null 2>&1 399 | fi 400 | } 401 | 402 | 403 | main() 404 | { 405 | # 0. Check the current environment 406 | CheckTheCurrentEnvironment 407 | 408 | # 1. Check Privileged Mode 409 | CheckPrivilegedMode 410 | 411 | # 2. Check Docker Socket Mount 412 | CheckDockerSocketMount 413 | 414 | # 3. Check Procfs Mount 415 | CheckProcfsMount 416 | 417 | # 4. Check Root Directory Mount 418 | CheckRootDirectoryMount 419 | 420 | # 5. Check Docker Remote API 421 | CheckDockerRemoteAPI 422 | 423 | # 6. Check CVE-2016-5195 DirtyCow 424 | CheckCVE_2016_5195DirtyCow 425 | 426 | # 7. CVE-2020-14386 427 | CheckCVE_2020_14386 428 | 429 | # 8. CVE-2022-0847 DirtyPipe 430 | CheckCVE_2022_0847 431 | 432 | # 9. CVE-2017-1000112 433 | CheckCVE_2017_1000112 434 | 435 | # 10. CVE-2021-22555 436 | CheckCVE_2021_22555 437 | 438 | # 11. Mount Host Var Log 439 | CheckVarLogMount 440 | 441 | InstallCommand capsh 442 | 443 | # 12. Check CAP_DAC_READ_SEARCH 444 | ChekckCAP_DAC_READ_SEARCH 445 | 446 | # 13. Check CAP_SYS_ADMIN 447 | CheckCAP_SYS_ADMIN 448 | 449 | # 14. Check CAP_SYS_PTRACE 450 | CheckCAP_SYS_PTRACE 451 | 452 | # 15. Check CVE-2022-0492 453 | CheckCVE_2022_0492 454 | 455 | 456 | if [ $VulnerabilityExists -eq 0 ];then 457 | echo -e "\033[33m[!] Check completed, no vulnerability found. \033[0m" 458 | else 459 | echo -e "\033[33m[!] Check completed.\033[0m" 460 | fi 461 | } 462 | 463 | main -------------------------------------------------------------------------------- /img.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/teamssix/container-escape-check/b3c3db0f6ae76e5000c1508c53b671e33ffd3706/img.png --------------------------------------------------------------------------------