Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Docker is a container that allows code to run anywhere in a mostly safe way. Besides this, it acts as a sandbox from the regular machine. Being able to go from container to host is a huge vulnerability

A socket is a mechanism that allows communication between two processes via network communication. In Unix, these are represented with a file path. However, there are also abstract sockets which are a little different. Regular sockets cannot be connected through Docker; but, abstract sockets can! This creates a little attack surface for us.

Abstract sockets (unlike regular sockets) do not have access controls tied to the Unix file permissions; these permissions have to be implemented by the creator of the abstract socket.

There is a particular abstract socket that is interesting: containerd-shim. This has a custom binary running on it that is accessible from the container. The tldr; is that by using this binary (over gRPC) it is possible to compromise the host process!

But why is this possible? The only validation is to check if the user connecting is the SAME as the user in containerd-shim. Normally, this is root. Additionally, the user using in the container is ALSO root. So, the gRPC thinks that this is the same user, allowing us to connect.

The article goes into how to escalate to root on the host from the API. There are several ways to go about it but they all stem from using the Create or Start RPC calls. The only trick (discussed in the article) is getting a proper configuration file to this startup process. Once this is done, a container that runs with the --privileged flag can be used to gain root access.

In the future, I will look out for abstract sockets, as they have different security implications than one might expect.