Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

runc and libcontainer are what makes Docker, Docker. This handles all of the chroot, namespaces and everything else in between. Docker adds a nice wrapper around all of this to make it more practical to use and install things. runc is written in GoLang and libcontainer is written in C.

The interface between C and Go is an important one to consider. A non-issue in Go may be a terrible issue in C, if things are not handled properly; differences between languages can make a big difference! When communicating from runc about the bind mounts via a Go to C call, the Go string can have embedded nullbytes inside of it.

The communication between the Go and C library, for communicating the Bind mounts above, is all separated by nullbytes from message to message. As a result, this created a message smuggling bug when the Bind Mount had an embedded NULLbyte inside of it. An example way to exploit this would be to bypass hostpath restrictions in Kubernetes clusters.

When sending a message from Go to C, there are two fields: an uint16 for the length of the message and a byte[] for the bytes themselves. Even though this looks totally fine, the length can be overflowed! This resulted in another smuggling bug since we can now specify all of the data in a message, even though we should not be able to.

Using the bugs together, it would be possible to create an arbitrary message. This message could do some malicious things, such as specifying the container to have the CLONE_FLAGS_ATTR. This would give the container access to the host namespace.

Interfacing with other languages can be complicated because of the inherit differences in the representation of data. Additionally, integer overflow issues exist in all languages. So, watch out world!