Improperly secured privileged containers on the Play with Docker testing platform offered security researchers a way to escape Linux containers and run arbitrary code on the host system.
An attacker successfully exploiting the flaw would have had high-level access to the Play with Docker (PWD). They would also have been able to access all running containers.
Starting from scratch
The exploit preyed on the fact that containers all use the same kernel code, something that makes the technology so lightweight and attractive. By contrast, virtual machines load a new kernel for every instance.
Starting from this, CyberArk researchers set out to hack Play with Docker, a support platform for anyone who wants to run quick Docker commands, get familiar with Docker containerization by building and running Docker containers, or create clusters.
“Escaping a container may be regarded as the first step in an attack against an enterprise infrastructure since many enterprises are running public-facing containers nowadays, which may lead the attackers into the enterprise network,” the experts say in a report shared with BleepingComputer.
The experts started by learning information about the host system by running the ‘uname’ command, which prints out the kernel version, architecture, name, the root UUID ( universally unique identifier) and build date.
Getting access to the root directory
They tried to mount the host’s root drive inside the container but in-place protection prevented this action. More poking around gave the researchers more information, like the host hardware.
Using the ‘debugfs’ filesystem debugger, they ware able to get access to the host’s root directory and roam the filesystem in search of a kernel module using the ‘printk kernel function’ that fit their attack approach.
What CyberArk experts were able to accomplish was to take a Linux kernel module that was compiled in their laboratory and inject it into the PWD Linux kernel, Nimrod Stoler, one of the researchers working on the project, told BleepingComputer.
The module they used was ceph.ko, loaded by the kernel for the Ceph software storage platform. This was not a specific target as any other module using the ‘printk’ function would have sufficed. This was used to prepare a module that tricked the target kernel into loading it.
“The end goal is to run a reverse shell. This may be accomplished using a special kernel function call_usermodehelper(), which is used to prepare and start a user-mode application from the kernel,” the researchers explained in the technical report.
Several steps later, the CyberArk boffins were able to set up a reverse shell and run arbitrary code on the host. The details about achieving this are available in a video from the researchers below:
The idea for hacking PWD came from Eviatar Gerzi. On November 6, 2018, the researchers reported the flaw to Docker, who acknowledged the bug the next day, informing that a fix would follow shortly. On January 7, 2019, CyberArk confirmed that the vulnerability was no longer present.
>> Source Link