On 5/7/26 18:28, Jens Axboe wrote:
I won't comment too much on this to avoid offending anyone, but I'm a
bit puzzled by:

"Once we have the address of modprobe_path (from KASLR step above), we
write our script path via /proc/sys/kernel/modprobe: c

int fd = open("/proc/sys/kernel/modprobe", O_WRONLY);
write(fd, "/var/tmp/evil.sh", 16);

This sysctl entry writes directly into modprobe_path in kernel memory
and is writable with CAP_SYS_ADMIN, which we already have via
CAP_NET_ADMIN on container configurations that grant both."

as surely the point of a local exploit is, in fact, to gain root in the
first place. If you already have CAP_SYS_ADMIN, what is the point?

But hey, someone wrote a blog post about something that sounds
dangerous.

I'm not the original author of the blog post, so I can't speak for their intent; however, I imagine the impact for the proposed scenario would a container escape of some kind? It's not exactly uncommon to see containers with lax permissions such as the above, given under the assumption that the underlying containerization technologies will provide a sufficient level of security.

Reply via email to