Escape Docker Container Using waitid() | CVE-2017-5123 | Twistlock

https://www.twistlock.com/2017/12/27/escaping-docker-container-using-waitid-cve-2017-5123/

In 2017 alone, 434 linux kernel exploits where found, and as you have seen in this post, kernel exploits can be devastating for containerized environments. This is because containers share the same kernel as the host, thus trusting the built-in protection mechanisms alone isn’t sufficient. Make sure your kernel is always updated on all of your production hosts.

The vulnerability allows an attacker to write a partially-controlled data to kernel memory address of his choice.

Our main goal with this exploit is to overwrite the capabilities that Docker sets for us, thus gaining additional privileges and to escape the container.

 

2 Comments

  1. Tomi Engdahl says:

    THREAT RESEARCH BLOG POST
    How I Hacked Play-with-Docker and Remotely Ran Code on the Host
    https://www.cyberark.com/threat-research-blog/how-i-hacked-play-with-docker-and-remotely-ran-code-on-the-host/

    Play-with-Docker (PWD), Docker’s playground website, allows beginners to run Docker commands in a matter of seconds. Built on a number of hosts with each running multiple student’s containers, it’s a great place to learn Docker. PWD provides the experience of having a free Alpine Linux virtual machine in a web browser where students can build and run Docker containers and experience Docker firsthand without having to first install and configure it.

    This unique offering was warmly welcomed by DevOps practitioners with more than 100,000 total monthly site visits, where Docker tutorials, workshops and training are also available. The initiative was an effort originated by Marcos Nils and Jonathan Leibiusky, aided by the Docker community and sponsored by Docker.

    CyberArk Labs set out to try and escape the mock container in an effort to run code on the Docker host.

    The impact of container escape is similar to escape from a virtual machine, as both allow access to the underlying server.

    Reply
  2. Tomi Engdahl says:

    Escaping out of a docker container by circumventing an ad-hoc reverse proxy that was supposed to prevent abuse of “docker.sock” file exposure.

    A Tale of Escaping a Hardened Docker container
    https://www.redtimmy.com/docker/a-tale-of-escaping-a-hardened-docker-container/

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*