metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

Container Rooting + Escape (GameOver(lay)) (CVE-2023-2640, CVE-2023-32629)

Open h00die opened this issue 2 years ago • 4 comments

Summary

Brief explanation of the module.

Basic example

Writeup: https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/

PoC (untested and unevaluated): https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

Motivation

Containers suck, break out of them and pwn the host

h00die avatar Jan 30 '24 00:01 h00die

I've test the exploit script provided by @g1vi on an Ubuntu Focal Fossa 20.04.6 with a 5.4.0-1018-aws kernel, independently verifying exploit-ability of CVE-2023-32629. Based on my research the exploit still needs to be tested for CVE-2023-2640.

I've developed a module from the PoC. This vulnerability is somewhat unique in that a various assortment of Ubuntu and kernel version combinations are vulnerable. For example, Lunar Lobster 6.2.0 is vulnerable to both CVE's but Lunar Lobster 5.15.0 and 5.19.0 are immune from exploitation of this vulnerability. Likewise, Focal Fossa 5.4.0, the system I tested the module on is only vulnerable to CVE-2023-32629 and no other kernel versions appear vulnerable. This module ensures that the exploit only execute on a valid combination of vulnerable distro/kernel.

The module is 90% finished, I tested it using a meterpreter bind shell and it runs the exact same commands as the script provided by g1vi passing the command as an argument to cmd_exec. Unfortunately, the script runs the commands but the session is not provided with an exploited shell. The commands run a root shell, as shown by the picture below, we just need a way to get the session into the spawned shell. I was thinking of making an option for a classic reverse shell but before doing that it'd be best if an elevated shell could be gained without creating another suspicious network connection. I'm just not sure of how to go about this.

I've also tried running the exploit with session.sys.process.execute after reading through a couple of similar exploits, but that did not get the proper results. How do I get the meterpreter to interact with the elevated shell from the exploit? Will the command I run have to be different if the session isn't from a meterpreter? Thanks.

Running the auto-check and exploit completing: Screenshot 2024-08-25 at 4 02 00 PM

Checking the vulnerable process on the host: Screenshot 2024-08-25 at 4 01 18 PM

gardnerapp avatar Aug 27 '24 18:08 gardnerapp

Typically bind payloads are frowned on since there are so many potential issues with networking/firewalls. If you want to keep it simple, some of the other local only payloads may be better (add user, file write), or a ping payload.

h00die avatar Sep 04 '24 20:09 h00die

@gardnerapp there are a couple minor things I see, and I cannot comment because it is not a PR. If I were you, since this is a command execution vuln, I'd look more at the ARCH_CMD payloads or Python, but as @h00die says, first step is to get any command running in the shell- touch, even. If that works, look to payloads. I'm not familiar with this, but if you wanted to put up a draft PR with setup instructions, someone could do a bit more to help.

bwatters-r7 avatar Sep 04 '24 20:09 bwatters-r7

Just submitted a pull request here thanks for the help!

gardnerapp avatar Sep 13 '24 14:09 gardnerapp