Skip to content

Commit

Permalink
fix(exp): unprivileged_userns_clone sysctl file do not exist in CentOS
Browse files Browse the repository at this point in the history
  • Loading branch information
@neargle
neargle committed Mar 10, 2022
1 parent 19d8c3e commit 19fdff2
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 11 deletions.
11 changes: 0 additions & 11 deletions pkg/exploit/abuse_unpriv_userns.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,11 +29,9 @@ import (
"github.com/cdk-team/CDK/pkg/plugin"
"github.com/cdk-team/CDK/pkg/util"
"golang.org/x/sys/unix"
"io/ioutil"
"log"
"os"
"os/exec"
"strings"
"syscall"
)

Expand Down Expand Up @@ -77,15 +75,6 @@ func UnprivUserNS(cmd string) error {
return &errors.CDKRuntimeError{Err: nil, CustomMsg: "exploit only suitable for cgroup v1"}
}

// check prerequisites
data, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
if err != nil {
return &errors.CDKRuntimeError{Err: err, CustomMsg: "check prerequisites error."}
}

if strings.TrimSuffix(string(data), "\n") != "1" {
return &errors.CDKRuntimeError{Err: nil, CustomMsg: "host os does NOT enable unprivileged user namespace."}
}
// prerequisites satisfied, move current process in new user namespace
// https://elixir.bootlin.com/linux/v5.16.13/source/kernel/fork.c#L2957
// unshare can only be used in single-thread program. Golang program is always multi-thread.
Expand Down
29 changes: 29 additions & 0 deletions pkg/util/namespace.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
package util

import (
"io/ioutil"
"strings"

"github.com/cdk-team/CDK/pkg/errors"
)

// CheckUnpriUserNS checks if the current host enable unprivileged user namespace.
// reference:
// https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
// https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
// exceptional case:
// the sysctl files(/proc/sys/kernel/unprivileged_userns_clone) only exist in Debian, Ubuntu.
// We can not check the sysctl file in other distros, test in CentOS Linux release 8.4.2105 (Core).
func CheckUnpriUserNS() error {

data, err := ioutil.ReadFile("/proc/sys/kernel/unprivileged_userns_clone")
if err != nil {
return &errors.CDKRuntimeError{Err: err, CustomMsg: "check prerequisites error."}
}

if strings.TrimSuffix(string(data), "\n") != "1" {
return &errors.CDKRuntimeError{Err: nil, CustomMsg: "host os does NOT enable unprivileged user namespace."}
}

return nil
}

1 comment on commit 19fdff2

@neargle
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

image

Please sign in to comment.