Associated Vulnerability
Title:Linux kernel 安全漏洞 (CVE-2022-0847)Description:A flaw was found in the way the "flags" member of the new pipe buffer structure was lacking proper initialization in copy_page_to_iter_pipe and push_pipe functions in the Linux kernel and could thus contain stale values. An unprivileged local user could use this flaw to write to pages in the page cache backed by read only files and as such escalate their privileges on the system.
Description
CVE-2022-0847 used to achieve container escape 利用CVE-2022-0847 (Dirty Pipe) 实现容器逃逸
Readme
# CVE-2022-0847
CVE-2022-0847 used to achieve container escape (overwrite any read-only files on host)
Slides (in Chinese) available [here](./slides-zh.pdf)
利用CVE-2022-0847 (Dirty Pipe) 实现容器逃逸(效果为覆写宿主机上任意只读文件)
中文汇报PPT在[这里](./slides-zh.pdf)
## Introduction
If the kernel is vulnerable to CVE-2022-0847, the attacker can overwrite read-only files (Non-persistent! Visit https://dirtypipe.cm4all.com/ for more details). However, container can only access files inside container. Fortunately, when given `CAP_DAC_READ_SEARCH`, attacker can now overwrite files on host!
## Explanation
As https://dirtypipe.cm4all.com/ explains, to overwrite a read-only file, we should `splice()` it to pipe. To use `splice()`, we must first open target file with `O_RDONLY` flag to get a **file descriptor**.
That's when `CAP_DAC_READ_SEARCH` came into my mind. According to [Linux manual](https://man7.org/linux/man-pages/man7/capabilities.7.html), when given `CAP_DAC_READ_SEARCH`, attacker inside container can:
+ Bypass file read permission checks and directory read and execute permission checks
+ invoke open_by_handle_at(2)
With capability `CAP_DAC_READ_SEARCH`, we can search host filesystem and use `open_by_handle_at(2)` to read-only open any files on host from container, getting its **file descriptor** (Visit http://stealth.openwall.net/xSports/shocker.c for more details).
Now that we've got **file descriptor** of target file on host, we can of course use `splice()` to send target file content to pipe, and then overwrite it!
## Usage
```bash
cp /etc/password . # back up /etc/password
gcc dp.c -o dp
docker run --rm -it -v $(pwd):/exp --cap-add=CAP_DAC_READ_SEARCH ubuntu
/exp/dp /etc/passwd 1 ootz: # overwrite /etc/password on host from offset 1
/etc/dp /etc/passwd # dump /etc/passwd on host
```
## Example
First, create a read-only file `/home/vagrant/flag.txt` by root user on host, content of which is `hello world`:
Then, start a container with capability `CAP_DAC_READ_SEARCH`, first try to dump `/home/vagrant/flag.txt` on host, we get `hello world`:
then try to overwrite target file from offset 1 with content `abcdefghij`:
dump target file again, now the content is `habcdefghij`! Exit container and check `/home/vagrant/flag.txt` on host, its content is `habcdefghij`.
Yes, we just overwrote a file on host from container!
## Credits
+ https://dirtypipe.cm4all.com/
+ http://stealth.openwall.net/xSports/shocker.c
File Snapshot
[4.0K] /data/pocs/6a79061343150b489769299ae3c511ef68dcaf54
├── [6.0K] dp.c
├── [4.0K] images
│ ├── [ 53K] dump-1.png
│ ├── [ 33K] dump.png
│ ├── [ 35K] touch.png
│ └── [ 31K] write.png
├── [1.0K] LICENSE
├── [2.5K] README.md
└── [754K] slides-zh.pdf
1 directory, 8 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →