release_agent exploit - Relative Paths to PIDs
For further details check the blog port from https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html. This is just a summary:
The technique outlines a method for executing host code from within a container, overcoming challenges posed by storage-driver configurations that obscure the container's filesystem path on the host, like Kata Containers or specific devicemapper
settings.
Key steps:
Locating Process IDs (PIDs): Using the
/proc/<pid>/root
symbolic link in the Linux pseudo-filesystem, any file within the container can be accessed relative to the host's filesystem. This bypasses the need to know the container's filesystem path on the host.PID Bashing: A brute force approach is employed to search through PIDs on the host. This is done by sequentially checking for the presence of a specific file at
/proc/<pid>/root/<file>
. When the file is found, it indicates that the corresponding PID belongs to a process running inside the target container.Triggering Execution: The guessed PID path is written to the
cgroups release_agent
file. This action triggers the execution of therelease_agent
. The success of this step is confirmed by checking for the creation of an output file.
Exploitation Process
The exploitation process involves a more detailed set of actions, aiming to execute a payload on the host by guessing the correct PID of a process running inside the container. Here's how it unfolds:
Initialize Environment: A payload script (
payload.sh
) is prepared on the host, and a unique directory is created for cgroup manipulation.Prepare Payload: The payload script, which contains the commands to be executed on the host, is written and made executable.
Set Up Cgroup: The cgroup is mounted and configured. The
notify_on_release
flag is set to ensure that the payload executes when the cgroup is released.Brute Force PID: A loop iterates through potential PIDs, writing each guessed PID to the
release_agent
file. This effectively sets the payload script as therelease_agent
.Trigger and Check Execution: For each PID, the cgroup's
cgroup.procs
is written to, triggering the execution of therelease_agent
if the PID is correct. The loop continues until the output of the payload script is found, indicating successful execution.
PoC from the blog post:
Last updated