This repo contains proof-of-concept exploit code for CVE-2020-15257 as described in our blog post. While written for containerd 1.2.x and 1.3.x, it should work on pre-patch versions of containerd 1.4.x.
$ go build
$ docker build -t abstractshimmer .
$ docker run --rm -d --network host abstractshimmer | xargs docker logs -f
$ cat /tmp/shimmer.out
$ cat /tmp/shimmer.binary
$ # or, for containerd 1.2.x
$ cat /etc/crontab
Note: This exploit will leave Docker/containerd a bit out of sorts. There
will be a dangling containerd-shim and Docker container that need to be killed
and docker rm --force'd respectively to clean things up a bit.
/var/lib/containerd/io.containerd.runtime.v1.linux/moby/ and
/run/containerd/io.containerd.runtime.v1.linux/moby/ will have some leftovers
as well. As part of this, this exploit does not attempt to reconcile
containerd's address files. This may lead to issues where attempting to
update a vulnerable system after exploiting it will result in Docker/containerd
failing to restart cleanly and/or being unable to see existing containers. If
you observe this while updating your containerd package, it may be an indicator
that the system has been previously compromised by some variant of this
exploit.