Container Rooting + Escape (GameOver(lay)) (CVE-2023-2640, CVE-2023-32629)

[h00die]

Summary

Brief explanation of the module.

Basic example

Writeup: https://www.crowdstrike.com/blog/crowdstrike-discovers-new-container-exploit/

PoC (untested and unevaluated): https://github.com/g1vi/CVE-2023-2640-CVE-2023-32629

Motivation

Containers suck, break out of them and pwn the host

[gardnerapp]

I've test the exploit script provided by @g1vi on an Ubuntu Focal Fossa 20.04.6 with a 5.4.0-1018-aws kernel, independently verifying exploit-ability of CVE-2023-32629. Based on my research the exploit still needs to be tested for CVE-2023-2640.

I've developed a module from the PoC. This vulnerability is somewhat unique in that a various assortment of Ubuntu and kernel version combinations are vulnerable. For example, Lunar Lobster 6.2.0 is vulnerable to both CVE's but Lunar Lobster 5.15.0 and 5.19.0 are immune from exploitation of this vulnerability. Likewise, Focal Fossa 5.4.0, the system I tested the module on is only vulnerable to CVE-2023-32629 and no other kernel versions appear vulnerable. This module ensures that the exploit only execute on a valid combination of vulnerable distro/kernel.

The module is 90% finished, I tested it using a meterpreter bind shell and it runs the exact same commands as the script provided by g1vi passing the command as an argument to cmd_exec. Unfortunately, the script runs the commands but the session is not provided with an exploited shell. The commands run a root shell, as shown by the picture below, we just need a way to get the session into the spawned shell. I was thinking of making an option for a classic reverse shell but before doing that it'd be best if an elevated shell could be gained without creating another suspicious network connection. I'm just not sure of how to go about this.

I've also tried running the exploit with session.sys.process.execute after reading through a couple of similar exploits, but that did not get the proper results. How do I get the meterpreter to interact with the elevated shell from the exploit? Will the command I run have to be different if the session isn't from a meterpreter? Thanks.

Running the auto-check and exploit completing:

Checking the vulnerable process on the host:

[h00die]

Typically bind payloads are frowned on since there are so many potential issues with networking/firewalls. If you want to keep it simple, some of the other local only payloads may be better (add user, file write), or a ping payload.

[bwatters-r7]

@gardnerapp there are a couple minor things I see, and I cannot comment because it is not a PR. If I were you, since this is a command execution vuln, I'd look more at the ARCH_CMD payloads or Python, but as @h00die says, first step is to get any command running in the shell- touch, even. If that works, look to payloads. I'm not familiar with this, but if you wanted to put up a draft PR with setup instructions, someone could do a bit more to help.

[gardnerapp]

Just submitted a pull request here thanks for the help!