Virtualisation isn’t protection: an attacker can escape containers
Here’s another reason to pay attention to patching your Linux systems against the Dirty COW vulnerability: it can be used to escape Docker containers.
That news comes from Paranoid Software’s Gabriel Lawrence, who describes the escape here.
Dirty COW is a race condition in Linux arising from how Copy-On-Write (the COW in the name) is handled by the kernel’s memory subsystem’s use of private mappings.
Lawrence writes: “more interesting to me than a local privilege escalation, this is a bug in the Linux kernel, containers such as Docker won’t save us.”
Lawrence and collaborators focussed on the vDSO – virtual dynamic shared object – “a small shared library that the kernel automatically maps into the address space of all user-space applications”.
It exists so that very frequently-used system calls can be invoked without impacting performance.
The proof-of-concept (attributed to “Scumjr”) attacks “the clock_gettime() function in the vDSO memory space” using Dirty COW, to get a crash and root shell.
“I am the root user and that I see files on the host outside of those on the container,” Lawrence writes.
Lawrence has posted a video showing root access on an AWS test environment, below.
The proof-of-concept code is at GitHub. ®