Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The CI/CD pipeline for Bitbucket must be user isolated. If it's not, data can trivially be stolen or altered during the build process. This bug was an escape of the CI/CD pipelines.

First, a user must escape the Docker service. This was done using known techniques with CGroups release agent functionality. So, step one is complete.

The second step is the new/unique part of this article: escaping the kata VM. The kata VM is essentially Docker but with a few slight variations in functionality, such as guarantees of container isolation.

With Kata containers, the author started looking at the mounted file systems. An important thing to note is that the hostPath functionality was used in order to mount paths from the container host directly into the container. In order to make the lives of devs easier, one of the mounts was /user/bin/docker.

The mounting process for Kata was quite complicated with a bunch of nesting and other steps taken in between. Although the permissions from within the Kata VM appeared to be ReadOnly, the HOST disagreed with this! The HOST believed that the docker mount was rw.

Because the mount was actually writable, the Docker binary itself could be altered! Damn, that's code execution as soon as the binary is ran.

The author found an additional mounting issue on the Kubernetes pods version of this. The bug was in an improperly mounted log directory. By writing to this directory with a symbolic link, it was possible to redirect the location of the write in order to overwrite arbitrary files.

Overall, awesome bugs with interesting impacts! Containers are awesome in practice but are still complex beasts with bugs in them.