Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-41091 PoC — Insufficiently restricted permissions on data directory in Docker Engine

Source
https://github.com/UncleJ4ck/CVE-2021-41091
Associated Vulnerability
Title:Insufficiently restricted permissions on data directory in Docker Engine (CVE-2021-41091)
Description:Moby is an open-source project created by Docker to enable software containerization. A bug was found in Moby (Docker Engine) where the data directory (typically `/var/lib/docker`) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as `setuid`), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This bug has been fixed in Moby (Docker Engine) 20.10.9. Users should update to this version as soon as possible. Running containers should be stopped and restarted for the permissions to be fixed. For users unable to upgrade limit access to the host to trusted users. Limit access to host volumes to trusted containers.
Description
POC for CVE-2021-41091
Readme
# CVE-2021-41091

This exploit offers an in-depth look at the CVE-2021-41091 security vulnerability and provides a step-by-step guide on how to utilize the exploit script to achieve privilege escalation on a host.

## Vulnerability Summary

CVE-2021-41091 is a flaw in Moby (Docker Engine) that allows unprivileged Linux users to traverse and execute programs within the data directory (usually located at /var/lib/docker) due to improperly restricted permissions. This vulnerability is present when containers contain executable programs with extended permissions, such as setuid. Unprivileged Linux users can then discover and execute those programs, as well as modify files if the UID of the user on the host matches the file owner or group inside the container.

## Overlay 

The overlay filesystem is a critical component in exploiting this vulnerability. Docker's overlay filesystem enables the container's file system to be layered on top of the host's file system, thus allowing the host system to access and manipulate the files within the container. In the case of CVE-2021-41091, the overly permissive directory permissions in /var/lib/docker/overlay2 enable unprivileged users to access and execute programs within the containers, leading to a potential privilege escalation attack.
Exploitation Steps

1. Connect to the Docker container hosted on your machine and obtain root access.

2. Inside the container, set the setuid bit on /bin/bash with the following command: `chmod u+s /bin/bash`

3. On the host system, run the provided exploit script (poc.sh) by cloning the repository and executing the script as follows:

```
git clone https://github.com/UncleJ4ck/CVE-2021-41091
cd CVE-2021-41091
chmod +x ./poc.sh
./poc.sh
```

4. The script will prompt you to confirm if you correctly set the setuid bit on /bin/bash in the Docker container. If the answer is "yes," the script will check if the host is vulnerable and iterate over the available overlay2 filesystems. If the system is indeed vulnerable, the script will attempt to gain root access by spawning a shell in the vulnerable path (the filesystem of the Docker container where you executed the setuid command on /bin/bash).


<img src="https://i.imgur.com/gWUcKUX.png">

> Tested on docker engine version 20.10.5+dfsg1

# Mitigation

It is crucial to update Docker to version 20.10.9 or higher to address this vulnerability.


## TO-DO

- [ ] Add Many Cases for other privilige escalation scenarios
- [x] Fix Bugs


## Credit

> https://www.cyberark.com/resources/threat-research-blog/how-docker-made-me-more-capable-and-the-host-less-secure
File Snapshot

 [4.0K]  /data/pocs/0741eb8dfb42ffa0cc4e22e8780f2b01e9c8a1cc
├── [2.4K]  exp.sh
└── [2.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →