Docker cgroups Container Escape

This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.

A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges
and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.
If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,
an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent
file is owned by root, so only a user with root access can modify it.