Then, we run our exploit, attempting to add a string “Hello World” to the top of the file. Initially, we can see that our file contains the expected content: As a demonstration, we’ll use /etc/shells.
SECURE PIPES FILES CODE
We’ll then copy in our exploit code - just a compiled version of the code in the original vulnerability disclosure blog - and try to modify a file from the underlying image.
The exploit should work with any image but this one is a clean base. The starting point is an Ubuntu 21.04 system running Docker 20.10.10, with no container images currently downloaded locally.įirst, we start a container based on the ubuntu:21.04 image, which will pull a fresh copy of the image from Docker Hub. Using the exploit provided by Max Kellermann in his blog, we can try to modify a file on the underlying system to see what happens. The original file should remain unmodified. When a user inside a container modifies a file from the underlying image, the original file should be copied to a new location specific to that container, and the modification applied there. The page that disclosed the vulnerability has details and great background, so we’ll focus here on the impact from a container perspective.Īn essential part of modern containerization is the use of overlay file systems, where a shared read-only image is used to create running containers. To mitigate this issue, affected systems - those running Linux kernel 5.8 or above - should be patched immediately. This could enable an attacker to effectively modify containers that are running against a shared image, or to poison an image on a host so that new containers would receive modified files.
SECURE PIPES FILES SOFTWARE
Looking at this vulnerability from the perspective of hosts using containerization software such as Docker, it was possible to modify files from container images on the host, from inside a container - something that generally shouldn’t be possible. CVE-2022-0847, aka “Dirty Pipe”, is a vulnerability that allows users on a Linux system to overwrite the contents of files that they can read but shouldn’t be able to write to. A new CVE in the Linux kernel was released this week.
0 kommentar(er)
