|
#!/bin/bash |
|
|
|
|
|
echo -e "" |
|
echo -e "\033[34m=============================================================\033[0m" |
|
echo -e "\033[34m Containers Escape Check v0.3 \033[0m" |
|
echo -e "\033[34m-------------------------------------------------------------\033[0m" |
|
echo -e "\033[34m Author: TeamsSix \033[0m" |
|
echo -e "\033[34m Twitter: TeamsSix \033[0m" |
|
echo -e "\033[34m Blog: teamssix.com \033[0m" |
|
echo -e "\033[34m WeChat Official Accounts: TeamsSix \033[0m" |
|
echo -e "\033[34m Project Address: github.com/teamssix/container-escape-check \033[0m" |
|
echo -e "\033[34m=============================================================\033[0m" |
|
echo -e "" |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
CheckCommandExists(){ |
|
$1 >/dev/null 2>&1 |
|
ret=$? |
|
if [ "$ret" -eq 0 ]; then |
|
return 1 |
|
fi |
|
return 0 |
|
} |
|
|
|
|
|
|
|
InstallCommand(){ |
|
|
|
CheckCommandExists $1 |
|
if [ $? -eq 0 ]; then |
|
|
|
timeout 3 bash -c "echo -e >/dev/tcp/baidu.com/80" > /dev/null 2>&1 && IsNetWork=1 || IsNetWork=0 |
|
if [ $IsNetWork -eq 1 ];then |
|
echo -e "\033[93m[!] It is detected that the $1 command does not exist in the current system, and the command is being installed.\033[0m" |
|
|
|
CheckCommandExists sudo |
|
if [ $? -eq 0 ]; then |
|
CheckCommandExists apt-get |
|
if [ $? -eq 0 ];then |
|
if [ "$1" = "capsh" ];then |
|
apt-get -y update >/dev/null 2>&1 && apt-get install -y libcap2-bin >/dev/null 2>&1 |
|
else |
|
apt-get -y update >/dev/null 2>&1 && apt-get install -y $1 >/dev/null 2>&1 |
|
fi |
|
fi |
|
CheckCommandExists yum |
|
if [ $? -eq 0 ];then |
|
if [ "$1" = "capsh" ];then |
|
yum -y update >/dev/null 2>&1 && yum install -y libcap >/dev/null 2>&1 |
|
else |
|
yum -y update >/dev/null 2>&1 && yum install -y $1 >/dev/null 2>&1 |
|
fi |
|
fi |
|
else |
|
CheckCommandExists apt-get |
|
if [ $? -eq 0 ];then |
|
if [ "$1" = "capsh" ];then |
|
sudo apt-get -y update >/dev/null 2>&1 && apt-get install -y libcap2-bin >/dev/null 2>&1 |
|
else |
|
sudo apt-get -y update >/dev/null 2>&1 && apt-get install -y $1 >/dev/null 2>&1 |
|
fi |
|
fi |
|
CheckCommandExists yum |
|
if [ $? -eq 0 ];then |
|
if [ "$1" = "capsh" ];then |
|
sudo yum -y update >/dev/null 2>&1 && yum install -y libcap >/dev/null 2>&1 |
|
else |
|
sudo yum -y update >/dev/null 2>&1 && yum install -y $1 >/dev/null 2>&1 |
|
fi |
|
fi |
|
fi |
|
CheckCommandExists $1 |
|
if [ $? -eq 0 ]; then |
|
echo -e "\033[93m[!] $1 command installation failed.\033[0m" |
|
else |
|
echo -e "\033[93m[!] $1 command installation completed.\033[0m" |
|
fi |
|
fi |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckTheCurrentEnvironment(){ |
|
if [ ! -f "/proc/1/cgroup" ];then |
|
IsContainer=0 |
|
else |
|
cat /proc/1/cgroup | grep -qi docker && IsContainer=1 || IsContainer=0 |
|
fi |
|
|
|
if [ $IsContainer -eq 0 ];then |
|
echo -e "\033[31m[-] Not currently a container environment.\033[0m" |
|
exit 1 |
|
else |
|
echo -e "\033[33m[!] Currently in a container, checking ......\033[0m" |
|
VulnerabilityExists=0 |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckPrivilegedMode(){ |
|
if [ ! -f "/proc/self/status" ];then |
|
IsPrivilegedMode=0 |
|
else |
|
cat /proc/self/status | grep -qi "0000003fffffffff" && IsPrivilegedMode=1 || IsPrivilegedMode=0 |
|
cat /proc/self/status | grep -qi "0000001fffffffff" && IsPrivilegedMode=1 || IsPrivilegedMode=0 |
|
fi |
|
|
|
if [ $IsPrivilegedMode -eq 1 ];then |
|
echo -e "\033[92m[+] The current container is in privileged mode.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
} |
|
|
|
|
|
|
|
CheckDockerSocketMount(){ |
|
if [ ! -f "/var/run/docker.sock" ];then |
|
IsDockerSocketMount=0 |
|
else |
|
ls /var/run/ | grep -qi docker.sock && IsDockerSocketMount=1 || IsDockerSocketMount=0 |
|
fi |
|
|
|
if [ $IsDockerSocketMount -eq 1 ];then |
|
echo -e "\033[92m[+] The current container has docker socket mounted.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckProcfsMount(){ |
|
|
|
find / -name core_pattern 2>/dev/null | wc -l | grep -q 2 && IsProcfsMount=1 || IsProcfsMount=0 |
|
|
|
if [ $IsProcfsMount -eq 1 ];then |
|
echo -e "\033[92m[+] The current container has procfs mounted.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckRootDirectoryMount(){ |
|
|
|
find / -name passwd 2>/dev/null | grep /etc/passwd | wc -l | grep -q 7 && IsRootDirectoryMount=1 || IsRootDirectoryMount=0 |
|
|
|
if [ $IsRootDirectoryMount -eq 1 ];then |
|
echo -e "\033[92m[+] The current container has root directory mounted.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckDockerRemoteAPI(){ |
|
InstallCommand hostname |
|
for PORT in "2375" "2376" |
|
do |
|
IP=`hostname -i | awk -F. '{print $1 "." $2 "." $3 ".1"}' ` && timeout 3 bash -c "echo -e >/dev/tcp/$IP/$PORT" > /dev/null 2>&1 && DockerRemoteAPIIsEnabled=1 || DockerRemoteAPIIsEnabled=0 |
|
if [ $DockerRemoteAPIIsEnabled -eq 1 ];then |
|
echo -e "\033[92m[+] The Docker Remote API for the current container is enabled.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
done |
|
} |
|
|
|
|
|
LinuxKernelVersion=`uname -r | awk -F '-' '{print $1}'` |
|
KernelVersion=`echo -e $LinuxKernelVersion | awk -F '.' '{print $1}'` |
|
MajorRevision=`echo -e $LinuxKernelVersion | awk -F '.' '{print $2}'` |
|
MinorRevision=`echo -e $LinuxKernelVersion | awk -F '.' '{print $3}'` |
|
|
|
|
|
|
|
|
|
CheckCVE_2016_5195DirtyCow(){ |
|
|
|
if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -eq 6 && "$MinorRevision" -ge 22 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -ge 7 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$KernelVersion" -eq 3 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -lt 8 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -eq 8 && "$MinorRevision" -le 3 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2016-5195 DirtyCow vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
|
|
CheckCVE_2020_14386(){ |
|
|
|
if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -ge 6 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2020-14386 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ $KernelVersion -eq 5 && $MajorRevision -lt 9 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2020-14386 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
|
|
CheckCVE_2022_0847(){ |
|
if [ $KernelVersion -eq 5 ];then |
|
|
|
if [[ "$MajorRevision" -ge 8 && "$MajorRevision" -lt 10 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
if [[ "$MajorRevision" -eq 10 && "$MinorRevision" -lt 102 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
if [[ "$MajorRevision" -eq 10 && "$MinorRevision" -gt 102 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$MajorRevision" -gt 10 && "$MajorRevision" -lt 15 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$MajorRevision" -eq 15 && "$MinorRevision" -lt 25 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
if [[ "$MajorRevision" -eq 15 && "$MinorRevision" -gt 25 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$MajorRevision" -eq 16 && "$MinorRevision" -lt 11 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0847 DirtyPipe vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
fi |
|
} |
|
|
|
|
|
|
|
|
|
CheckCVE_2017_1000112(){ |
|
|
|
if [[ "$KernelVersion" -eq 4 && "$MajorRevision" -ge 4 && "$MajorRevision" -le 13 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2017-1000112 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
|
|
CheckCVE_2021_22555(){ |
|
|
|
if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -eq 6 && "$MinorRevision" -ge 19 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
if [[ "$KernelVersion" -eq 2 && "$MajorRevision" -ge 7 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ "$KernelVersion" -eq 3 || "$KernelVersion" -eq 4 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
|
|
|
|
if [[ $KernelVersion -eq 5 && $MajorRevision -le 12 ]];then |
|
echo -e "\033[92m[+] The current container has the CVE-2021-22555 vulnerability.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckVarLogMount(){ |
|
if [ ! -f "/var/run/secrets/kubernetes.io/serviceaccount/token" ];then |
|
IsPodEnv=0 |
|
else |
|
IsPodEnv=1 |
|
fi |
|
if [ $IsPodEnv -eq 1 ];then |
|
find / -name lastlog 2>/dev/null | wc -l | grep -q 3 && IsVarLogMount=1 || IsVarLogMount=0 |
|
if [ $IsVarLogMount -eq 1 ];then |
|
echo -e "\033[92m[+] The current container has /var/log mounted.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
fi |
|
} |
|
|
|
|
|
|
|
ChekckCAP_DAC_READ_SEARCH(){ |
|
if command -v capsh >/dev/null 2>&1; then |
|
cap_dac_read_searchNum=`capsh --print | grep cap_dac_read_search | wc -l` |
|
if [ $cap_dac_read_searchNum -gt 0 ];then |
|
echo -e "\033[92m[+] The current container has the CAP_DAC_READ_SEARCH permission.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckCAP_SYS_ADMIN(){ |
|
if command -v capsh >/dev/null 2>&1; then |
|
cap_sys_adminNum=`capsh --print | grep cap_sys_admin | wc -l` |
|
if [ $cap_sys_adminNum -gt 0 ];then |
|
echo -e "\033[92m[+] The current container has the CAP_SYS_ADMIN permission.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckCAP_SYS_PTRACE(){ |
|
if command -v capsh >/dev/null 2>&1; then |
|
cap_sys_ptraceNum=`capsh --print | grep cap_sys_ptrace | wc -l` |
|
if [ $cap_sys_ptraceNum -gt 0 ];then |
|
echo -e "\033[92m[+] The current container has the CAP_SYS_PTRACE permission.\033[0m" |
|
VulnerabilityExists=1 |
|
fi |
|
fi |
|
} |
|
|
|
|
|
|
|
CheckCVE_2022_0492(){ |
|
|
|
test_dir=/tmp/.cve-2022-0492-test |
|
if mkdir -p $test_dir ; then |
|
|
|
while read -r subsys |
|
do |
|
if unshare -UrmC --propagation=unchanged bash -c "mount -t cgroup -o $subsys cgroup $test_dir 2>&1 >/dev/null && test -w $test_dir/release_agent" >/dev/null 2>&1 ; then |
|
echo -e "\033[92m[+] The current container has the CVE-2022-0492 vulnerability.\033[0m" |
|
fi |
|
done <<< $(cat /proc/$$/cgroup | grep -Eo '[0-9]+:[^:]+' | grep -Eo '[^:]+$') |
|
umount $test_dir >/dev/null 2>&1 && rm -rf $test_dir >/dev/null 2>&1 |
|
fi |
|
} |
|
|
|
|
|
main() |
|
{ |
|
|
|
CheckTheCurrentEnvironment |
|
|
|
|
|
CheckPrivilegedMode |
|
|
|
|
|
CheckDockerSocketMount |
|
|
|
|
|
CheckProcfsMount |
|
|
|
|
|
CheckRootDirectoryMount |
|
|
|
|
|
CheckDockerRemoteAPI |
|
|
|
|
|
CheckCVE_2016_5195DirtyCow |
|
|
|
|
|
CheckCVE_2020_14386 |
|
|
|
|
|
CheckCVE_2022_0847 |
|
|
|
|
|
CheckCVE_2017_1000112 |
|
|
|
|
|
CheckCVE_2021_22555 |
|
|
|
|
|
CheckVarLogMount |
|
|
|
InstallCommand capsh |
|
|
|
|
|
ChekckCAP_DAC_READ_SEARCH |
|
|
|
|
|
CheckCAP_SYS_ADMIN |
|
|
|
|
|
CheckCAP_SYS_PTRACE |
|
|
|
|
|
CheckCVE_2022_0492 |
|
|
|
|
|
if [ $VulnerabilityExists -eq 0 ];then |
|
echo -e "\033[33m[!] Check completed, no vulnerability found. \033[0m" |
|
else |
|
echo -e "\033[33m[!] Check completed.\033[0m" |
|
fi |
|
} |
|
|
|
main |