About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

cr8escape: New Vulnerability in CRI-O Container Engine - 801

John Walker & Manoj Ahuje - CrowdStrikePosted 4 Years Ago
  • CRI-O is an implementation of the Kubernetes Container Runtime interface. It is a lightweight altnerative to using Docker with Kubernetes.
  • The CRI-O interface uses the pinns utility to set kernel options for a pod. Recently, pinns added support for sysctl. Pinns will blindly add kernel parameters, including sysctl without any validation. This is an interesting primitive: can we do anything with this?
  • The sysctl flag kernel.core_pattern can be used for how the kernel should react to a core dump. In this case, we will set this to a script that we control within our container to be triggered. Since this needs to be an absolute path, we also need to find the full path of the script. This can be done via the mount command.
  • It does appear that this is not the standard type of container escape where an attacker has code execution within the context of a box. Instead, they need to be able to specify parameters within the YAML file for the initialization of the pod. Although this is cool, it is not as impactful as it could be, since control over the pod settings is required.

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed