GitBook: [master] one page modified
This commit is contained in:
parent
b2a69a78ee
commit
6ee2e4702e
@ -1,20 +1,5 @@
|
|||||||
# Docker Breakout
|
# Docker Breakout
|
||||||
|
|
||||||
## Runc exploit (CVE-2019-5736)
|
|
||||||
|
|
||||||
In case you have the `docker exec` permission within the container as root, you can escape the container by getting the go implementation of CVE-2019-5736 from [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go).
|
|
||||||
Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.
|
|
||||||
|
|
||||||
Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine:
|
|
||||||
|
|
||||||
`docker exec -it <container-name> /bin/sh`
|
|
||||||
|
|
||||||
This will trigger the payload which is present in the main.go file.
|
|
||||||
|
|
||||||
For more information:
|
|
||||||
https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
|
|
||||||
|
|
||||||
|
|
||||||
## Mounted docker socket
|
## Mounted docker socket
|
||||||
|
|
||||||
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.
|
If somehow you find that the **docker socket is mounted** inside the docker container, you will be able to escape from it.
|
||||||
@ -398,6 +383,19 @@ root 10 2 0 11:25 ? 00:00:00 [ksoftirqd/0]
|
|||||||
...
|
...
|
||||||
```
|
```
|
||||||
|
|
||||||
|
## Runc exploit \(CVE-2019-5736\)
|
||||||
|
|
||||||
|
In case you can execute `docker exec` as root \(probably with sudo\), you try to escalate privileges escaping from a container abusing CVE-2019-5736 \(exploit [here](https://github.com/Frichetten/CVE-2019-5736-PoC/blob/master/main.go)\). This technique will basically **overwrite** the _**/bin/sh**_ binary of the **host** **from a container**, so anyone executing docker exec may trigger the payload.
|
||||||
|
|
||||||
|
Change the payload accordingly and build the main.go with `go build main.go`. The resulting binary should be placed in the docker container for execution.
|
||||||
|
Upon execution, as soon as it displays `[+] Overwritten /bin/sh successfully` you need to execute the following from the host machine:
|
||||||
|
|
||||||
|
`docker exec -it <container-name> /bin/sh`
|
||||||
|
|
||||||
|
This will trigger the payload which is present in the main.go file.
|
||||||
|
|
||||||
|
For more information: [https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html](https://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html)
|
||||||
|
|
||||||
## Docker API Firewall Bypass
|
## Docker API Firewall Bypass
|
||||||
|
|
||||||
In some occasions, the sysadmin may install some plugins to docker to avoid low privilege users to interact with docker without being able to escalate privileges.
|
In some occasions, the sysadmin may install some plugins to docker to avoid low privilege users to interact with docker without being able to escalate privileges.
|
||||||
|
Loading…
Reference in New Issue
Block a user