-
Notifications
You must be signed in to change notification settings - Fork 551
Exploit: mount cgroup
cdxy edited this page Nov 24, 2020
·
1 revision
自动化逃逸与宿主机共享cgroup的容器。常用于逃逸特权容器。
该脚本将宿主机cgroup目录挂载到容器内,随后劫持宿主机cgroup的release_agent
文件,通过linux cgroup notify_on_release机制触发shellcode执行,完成逃逸。
Automated escape container which shares cgroup namespace with outside host, especially for escape privileged containers.
This exploit will first mount host cgroup dir into container, then overwrite host cgroup's release_agent
file to inject shellcode, finally trigger shell code execution with linux cgroup notify_on_release feature.
See Also:
- https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
- https://twitter.com/_fel1x/status/1151487051986087936
./cdk run mount-cgroup "<shell-cmd>"
# after exploit, the target host will execute user-specified commands in <shell-cmd> arg.
测试案例
- 宿主机以特权模式启动容器,尝试在该容器内部通过本脚本逃逸。
docker run -v /root/cdk:/cdk --rm -it --privileged ubuntu bash
- 容器内部执行
./cdk run mount-cgroup "touch /tmp/exp-success"
- 宿主机中出现
/tmp/exp-success
文件,说明exp已经成功执行,攻击者可以在宿主机执行任意命令。
Testing Case
- run a privileged container in host
docker run -v /root/cdk:/cdk --rm -it --privileged ubuntu bash
, try to escape this container using CDK. - attach into the container and execute
./cdk run mount-cgroup "touch /tmp/exp-success"
- back to the host, check
/tmp/exp-success
file exists, which means our shell cmd was executed successfully. by modifying<shell-cmd>
arg you can exec any cmd you want in target host.