Docker permissions combined with a number of other lower risk issues, resulted in an attack path that allowed privilege escalation to root from a low-privileged user.
As this configuration was non-standard rare to see, we thought we’d share our observations and methods for leveraging this particular weakness to the wider community. We will be doing this through an example, which was deployed to a WithSecure lab environment and only copied certain technical details observed on the engagement that are relevant to the attack path we will demonstrate. All users, containers, etc., are bespoke to this environment and do not represent the client’s environment.
During our research, we did identify this was a previously identified issue with an assigned CVE (CVE-2021-41091) by CyberArk that they published when they were researching ways to get SUID binaries for privilege escalation.