Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Azure functions are a way to run arbitrary code within the context of Azure. Another example of this is Llambda functions.

The Azure functions run within a Docker container with the --privileged flag to allow extra permissions. For the purposes of this article, this causes device files (/dev) be be shared between the host and the guest.

All of the file systems in the /dev directory had the permissions set to rw as the guest user. This means that any user (including the Docker user) could edit these file systems.

To escape the container, the obvious choice was to edit the file system. Using the debugfs utility, we can commit changes to the underlying disk. Being able to write to disk is a HUGE deal, as we could overwrite all files on the OS, such as /etc/passwd.

There was one issue that they had to get around though: caching. The Linux kernel hosts a read cache for pages that had been recently loaded into memory instead of reading the raw disk every time. This resulted in raw disk writes not being noticed.

In order to get around this, they used the posix_fadvise to tell the kernel to discard the cache. Now, when the /etc/passwd was read again, it would be the proper one!

Although this container escape is pretty awesome, Azure functions run in a HyperV guest and a Docker container. Being able to escape one of them is not enough to compromise the Azure functions infrastructure, sadly. Defense-in-depth!