Docker user? Haven't patched Dirty COW yet? Got bad news for you
Repeat after me, containerization isn't protection, it's a management feature
Here's another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers.
That news comes from Paranoid Software's Gabriel Lawrence, who describes the escape here.
Dirty COW is a race condition in Linux arising from how Copy-On-Write (the COW in the name) is handled by the kernel's memory subsystem's use of private mappings.
Lawrence writes: “more interesting to me than a local privilege escalation, this is a bug in the Linux kernel, containers such as Docker won't save us.”
Lawrence explains an exploit by "Scumjr" focussed on the vDSO – virtual dynamic shared object – “a small shared library that the kernel automatically maps into the address space of all user-space applications”. It exists so that very frequently-used system calls can be invoked without impacting performance.
The proof-of-concept attacks “the
clock_gettime() function in the vDSO memory space” using Dirty COW, to get a crash and root shell.
“I am the root user and that I see files on the host outside of those on the container,” Lawrence writes.
Lawrence has posted a video showing root access on an AWS test environment, below. The proof-of-concept code is at GitHub. ®