(Note: I would ask this in a discussion but those haven't been setup yet- so another vote for enabling those: #70)

Sorry if this is the wrong place to ask this question - but I searched these issues, and I searched the web, and I can't find anything good on it.

Having docker.sock writable by the docker group is extremely handy/useful. However, I don't want to allow that as it results in this root exploit.

Is there any way to have docker.sock writable but without enabling this exploit? Is it a fundamental problem with Docker's design? Seems like a big deal...

Hi, I'd like to install following these instructions from the README but am not sure how to get the binary built:

CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor

This creates a go/pkg folder with a bunch of subfolders, but I have no idea where the built binary is.

Any help greatly appreciated! Using go 1.16.8.

The tool looks neat, but I tried running it on a fresh Vagrant instance as an unprivileged user and didn't se emuch:

Of course, it's a stock install and there are no services running on the box, but I think it would be neat if there were some instructions on example misconfigurations that could be made on a throwaway VM for Traitor to exploit.

If you're willing to give me a list, I'd be happy to add some examples into the README and submit a PR!

Brandon-Ross-MacBook-Pro:Desktop bros$ CGO_ENABLED=0 go get -u github.com/liamg/traitor/cmd/traitor
Brandon-Ross-MacBook-Pro:Desktop bros$ traitor


 888                    d8b 888                    
 888                    Y8P 888                    
 888                        888                    
 888888 888d888 8888b.  888 888888 .d88b.  888d888 
 888    888P"      "88b 888 888   d88""88b 888P"   
 888    888    .d888888 888 888   888  888 888     
 Y88b.  888    888  888 888 Y88b. Y88..88P 888     
  "Y888 888    "Y888888 888  "Y888 "Y88P"  888     
    v0.0.0 | https://github.com/liamg/traitor 
 
[+] Assessing machine state...
[+] Checking for opportunities...
[+][docker:writable-socket] Docker socket at /var/run/docker.sock is writable!
[+][docker:writable-socket] System is vulnerable! Run again with '--exploit docker:writable-socket' to exploit it.
Brandon-Ross-MacBook-Pro:Desktop bros$ traitor --exploit docker:writable-socket


 888                    d8b 888                    
 888                    Y8P 888                    
 888                        888                    
 888888 888d888 8888b.  888 888888 .d88b.  888d888 
 888    888P"      "88b 888 888   d88""88b 888P"   
 888    888    .d888888 888 888   888  888 888     
 Y88b.  888    888  888 888 Y88b. Y88..88P 888     
  "Y888 888    "Y888888 888  "Y888 "Y88P"  888     
    v0.0.0 | https://github.com/liamg/traitor 
 
[+] Assessing machine state...
[+] Checking for opportunities...
[+][docker:writable-socket] Docker socket at /var/run/docker.sock is writable!
[+][docker:writable-socket] Opportunity found, trying to exploit it...
[+][docker:writable-socket] Building malicious docker image...
[+][docker:writable-socket] Creating evil container...
[+][docker:writable-socket] Starting evil container...
[+][docker:writable-socket] Backdooring host at /bin/phNS9hpK_xJfOc from guest...
[+][docker:writable-socket] Checking permissions...
[+][error] Exploit failed: stat /bin/phNS9hpK_xJfOc: no such file or directory
[+] Continuing to look for opportunities
[+] Nothing found to exploit.

Hey @liamg let's open up Discussions on this repo (Under Settings). Some of the issues that come by are not really tangible things to write code and submit pull-requests for 😅

Please add an option to skip specific test or add option to force continuation of tests even if you encountered a privesc. In this way, the tool is no longer a tool used only for privesc and becomes a used audit tool as well.

I run the program on several different computers, but there is no test vulnerability information, as shown in the figure. Is it because I don't have an exp。 Or because the server does not have vulnerabilities

• Source: https://github.com/Markakd/CVE-2022-2588 Would be cool if you can implement it, but it seems that it doesn't compile on arm64 system (or atleast not out of the box), lets see if you can do something about it

• Microsoft writeup: https://www.microsoft.com/security/blog/2022/04/26/microsoft-finds-new-elevation-of-privilege-linux-vulnerability-nimbuspwn/
• Python PoC: https://github.com/Immersive-Labs-Sec/nimbuspwn/blob/main/nimbuspwn.py
• Vulnerability detection (shell): https://github.com/jfrog/nimbuspwn-tools/blob/main/nimbuspwn-detector.sh
• Golang dbus library: https://github.com/godbus/dbus

https://github.com/Ruia-ruia/CVE-2022-29582-Exploit this is the source. Hope it will take not much time. Thank you.

Ah, sorry for the clickbait title, but you see, it works!

I ran v0.0.14 on a fully-patched (at least as far as apt permits) Ubuntu 22.04LTS, and got this result:

▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█
░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.14
https://github.com/liamg/traitor

[+] Assessing machine state...
[+] Checking for opportunities...
[+][kernel:CVE-2022-0847] Kernel version 5.15.0 is vulnerable!
[+][kernel:CVE-2022-0847] System is vulnerable! Run again with '--exploit kernel:CVE-2022-0847' to exploit it.

Checking the installed kernel version, I get this:

$ cat /proc/version_signature
Ubuntu 5.15.0-25.25-generic 5.15.30

According to the vendor (see https://ubuntu.com/kernel for details), the mainline kernel release is the 5.15.30 part. According to NIST (see https://nvd.nist.gov/vuln/detail/CVE-2022-0847), the CVE details state that 5.15.0 to 5.15.24 are affected, with 5.15.25 and newer not affected.

Given that Ubuntu LTS is a relatively popular choice among server operating systems – and 22.04 is the most recent LTS cut – it might be worth clarifying what kernel versions are affected by CVE-2022-0847 at a patch release level instead of minor release branch.

Thanks for your consideration.

Hi,

I am using the command: ./traitor --exploit kernel:CVE-2022-0847

It seem to work, but terminates with an error: [+][error] Exploit failed: invalid password (see below).

In /etc/passwd: traitor4242:x:1001:1001:CVE-2021-3560,,,:/home/traitor4242:/bin/bash In /etc/shadow: traitor4242:!:19092:0:99999:7::: In /etc/group: sudo:x:27:thomas,traitor4242

Is there a reason, why it terminates with an error ? Thanks for help Thomas

▀█▀ █▀█ ▄▀█ █ ▀█▀ █▀█ █▀█ ░█░ █▀▄ █▀█ █ ░█░ █▄█ █▀▄ v0.0.0 https://github.com/liamg/traitor

[+] Assessing machine state... [+] Checking for opportunities... [+][kernel:CVE-2022-0847] Kernel version 5.13.0 is vulnerable! [+][kernel:CVE-2022-0847] Opportunity found, trying to exploit it... [+][kernel:CVE-2022-0847] Attempting to set root password... [+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read... [+][kernel:CVE-2022-0847] Creating pipe... [+][kernel:CVE-2022-0847] Determining pipe size... [+][kernel:CVE-2022-0847] Pipe size is 65536. [+][kernel:CVE-2022-0847] Filling pipe... [+][kernel:CVE-2022-0847] Draining pipe... [+][kernel:CVE-2022-0847] Pipe drained. [+][kernel:CVE-2022-0847] Splicing data... [+][kernel:CVE-2022-0847] Writing to dirty pipe... [+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful! [+][kernel:CVE-2022-0847] Starting shell... [+][kernel:CVE-2022-0847] Please exit the shell once you are finished to ensure the contents of /etc/passwd is restored. [+][kernel:CVE-2022-0847] Setting up tty... [+][kernel:CVE-2022-0847] Attempting authentication as root... [+][kernel:CVE-2022-0847] Restoring contents of /etc/passwd... [+][kernel:CVE-2022-0847] Opening '/etc/passwd' for read... [+][kernel:CVE-2022-0847] Creating pipe... [+][kernel:CVE-2022-0847] Determining pipe size... [+][kernel:CVE-2022-0847] Pipe size is 65536. [+][kernel:CVE-2022-0847] Filling pipe... [+][kernel:CVE-2022-0847] Draining pipe... [+][kernel:CVE-2022-0847] Pipe drained. [+][kernel:CVE-2022-0847] Splicing data... [+][kernel:CVE-2022-0847] Writing to dirty pipe... [+][kernel:CVE-2022-0847] Write of '/etc/passwd' successful! [+][error] Exploit failed: invalid password [+] Continuing to look for opportunities [+] Nothing found to exploit. thomas@thomas-ThinkPad-E15:~/traitor$