Merge pull request #17 from PercussiveElbow/cve_2020_15257

Add CVE-2020-15257 check
PercussiveElbow · Dec 5, 2020 · 8501d0f · 8501d0f
2 parents 198fc22 + c03c15e
commit 8501d0f
Show file tree

Hide file tree

Showing 5 changed files with 36 additions and 6 deletions.
diff --git a/src/breakouts/cve/cve_2019_5736.cr b/src/breakouts/cve/cve_2019_5736.cr
@@ -1,5 +1,5 @@
 
-def cve_2019_5736(user_payload : String)
+def attempt_cve_2019_5736(user_payload : String)
     payload = "#!/bin/bash \n #{user_payload}" 
     puts("==== ATTEMPTING CVE-2019-5736 ====")
     puts("=> WARNING: If successful this exploit will corrupt runC on the host OS.")

diff --git a/src/breakouts/cve/cve_2020_15257.cr b/src/breakouts/cve/cve_2020_15257.cr
@@ -0,0 +1,5 @@
+# Stub 
+
+def attempt_cve_2020_15257()
+    puts("!  CVE-2020 escape PoC not currently implemented.")
+end
diff --git a/src/checks/cve/cve_2020_15257_check.cr b/src/checks/cve/cve_2020_15257_check.cr
@@ -0,0 +1,17 @@
+
+def cve_2020_15257_check() 
+    puts("==> CVE-2020-1527 check - Looking for abstract socket mentioning containerd")
+    begin
+        File.open("/proc/net/unix").each_line do | line | 
+            if line.includes?("@/containerd")
+                puts("•  Container vulnerable to CVE-2020-1527. Found the following abstract socket: ")
+                puts(line)
+                return true
+            end
+        end
+    rescue ex
+        puts("! Error checking for CVE-2020-15257.")
+    end
+    puts("•  No mentions of containerd in abstract sockets, host does not appear vulnerable to CVE-2020-1527")
+    false
+end
diff --git a/src/checks/main_checks.cr b/src/checks/main_checks.cr
@@ -2,4 +2,6 @@ require "./container/*"
 require "./device/*"
 require "./network_socket/*"
 require "./unix_socket/*"
-require "./capability/*"
+require "./capability/*"
+# require "./namespaces/*"
+require "./cve/*"
diff --git a/src/docker-escape.cr b/src/docker-escape.cr
@@ -7,8 +7,6 @@ require "docker"
 def main
   logo()
   #user_namespace_enabled=false  
-  # cve_2019_5736("#!/bin/bash \n cat /etc/shadow3 > /tmp/shadow3 && chmod 777 /tmp/shadow3")
-
   if ARGV.size>0 
     case ARGV[0].to_s
       when "check"
@@ -27,11 +25,13 @@ def main
         if ARGV.size > 1
           payload = ARGV[1]
           puts(payload)
-          cve_2019_5736(payload)
+          attempt_cve_2019_5736(payload)
         else
           puts("No payload supplied.")
           exit(1)
         end
+      when "cve-2020–15257" && cve_2020_15257_check()
+          attempt_cve_2020_15257()
       else
         usage()
     end
@@ -45,11 +45,11 @@ def auto
   puts("\n================================================")
   puts("======= Start common breakout techniques =======")
   puts("================================================")
-
   attempt_device_breakout()
   attempt_unix_socket_breakout()
   attempt_network_socket_breakout()
   attempt_capability_breakout()
+  attempt_cve_2020_15257_breakout()
 end
 
 def attempt_device_breakout()
@@ -82,4 +82,10 @@ def attempt_network_socket_breakout()
   end
 end
 
+def attempt_cve_2020_15257_breakout()
+  if cve_2020_15257_check()
+    attempt_cve_2020_15257()
+  end
+end
+
 main()