Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Many people run containers for security reasons. Containers have great properties, such as resource isolation. However, sometimes, this isolation is a bad thing, which results in a feature called --privileged to be used. These opens up a whole new attack surface for escaping containers.

The author decided to hunt for call_usermodehelper_* family of functions because of CVE-2022-0492 .While grepping through the Linux source code they ran into the function call_usermodehelper (used to run a program/script in user mode) within the core dump functionality.

When reading through core, they found out where this was called: " If the first character of this file is a pipe symbol (|), then the remainder of the line is interpreted as the command-line for a user-space program (or script) that is to be executed." If the file within this pattern starts with a pipe (|) then it will run our program outside of the context of the container.

An obvious prerequisite of this is that the binary needs to be reachable by the host operating system. The folders within OverlayFS (Docker file system) are mounted and easily reachable. To find the location of the mount, the mount command can be ran from the context of the container to find the FULL file path of the container.

How do we trigger this script? Cause a core dump by getting a program to segfault. Writing real bad C is easy enough to do for this to work.

To run this exploit now, the following steps are used:

1. Compile a binary with the code to run.
2. Find out the path of the file system in the container via the mount command.
3. Write the FULL path of the exploit file to /proc/sys/kernel/core_pattern.
4. Cause a core dump with the bad C file.

Overall, this write up is real cool! Containers are not magic; they are features of the Linux Operating system being used. By understanding how resources are isolated, we can escape the container in question.