On 5/7/26 18:28, Jens Axboe wrote:
I won't comment too much on this to avoid offending anyone, but I'm a bit puzzled by:"Once we have the address of modprobe_path (from KASLR step above), we write our script path via /proc/sys/kernel/modprobe: c int fd = open("/proc/sys/kernel/modprobe", O_WRONLY); write(fd, "/var/tmp/evil.sh", 16); This sysctl entry writes directly into modprobe_path in kernel memory and is writable with CAP_SYS_ADMIN, which we already have via CAP_NET_ADMIN on container configurations that grant both." as surely the point of a local exploit is, in fact, to gain root in the first place. If you already have CAP_SYS_ADMIN, what is the point? But hey, someone wrote a blog post about something that sounds dangerous.
I'm not the original author of the blog post, so I can't speak for their intent; however, I imagine the impact for the proposed scenario would a container escape of some kind? It's not exactly uncommon to see containers with lax permissions such as the above, given under the assumption that the underlying containerization technologies will provide a sufficient level of security.
