Docker user? Haven't patched Dirty COW yet? Got bad news for you

Repeat after me, containerization isn't protection, it's a management feature

Here's another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers.

That news comes from Paranoid Software's Gabriel Lawrence, who describes the escape here.

Dirty COW is a race condition in Linux arising from how Copy-On-Write (the COW in the name) is handled by the kernel's memory subsystem's use of private mappings.

Lawrence writes: “more interesting to me than a local privilege escalation, this is a bug in the Linux kernel, containers such as Docker won't save us.”

Lawrence explains an exploit by "Scumjr" focussed on the vDSO – virtual dynamic shared object – “a small shared library that the kernel automatically maps into the address space of all user-space applications”. It exists so that very frequently-used system calls can be invoked without impacting performance.

The proof-of-concept attacks “the clock_gettime() function in the vDSO memory space” using Dirty COW, to get a crash and root shell.

“I am the root user and that I see files on the host outside of those on the container,” Lawrence writes.

Lawrence has posted a video showing root access on an AWS test environment, below. The proof-of-concept code is at GitHub. ®

Youtube Video

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017