cGroup Breakout

Abusing the Linux cgroup v1 release agent feature to escape container to the host

info:

Overlay - https://blogs.cisco.com/developer/373-containerimages-03

Exploit - https://0xdf.gitlab.io/2021/05/17/digging-into-cgroups.html#background

Requirements:

1. Running as root inside the container

2. Running with CAP_SYS_ADMIN and the container must lack an AppArmor profile

   OR

   cGroup v1 virtual file system as read-write

Exploit:

1. The first step is to gain access to the RDMA controller. If cgroup is mounted read-write, you already have access to the default mount point of RDMA controller, which is - /sys/fs/cgroup/rdma. Or, by mounting a controller in the desired mount point (if you have cap_sys_admin)
2. Create a new cgroup within that controller - create folder under the RDMA controller
3. Register notify_on_release for that cgroup - write 1 to notify_on_release under the relevant folder
4. Use sed to get the string's upperdir path of the current container in the host machine. Any write to this path will appear in the current container as well ( see info about overlay)
5. Write to  release_agent a path to the desired script in the container. let's say the script's name is cmd, and his located in /cmd at the container. Then the path to the script will be $upperdir/cmd (the upperdir is from stage 4)
6. Trigger release, set up a process within this new cgroup cgroup.procs so when this process terminates, the system sees that PID terminate and finds its PID in the cgroup we created. It removes that PID from the cgroups.procs file, and triggers the release agent, which will execute the cmd script in the host.