TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Lobsters — security tag

Podman rootless containers and the Copy Fail exploit

garrido.io by ggpsv · 1 day ago · Read original ↗

ATT&CK techniques detected

14 predictions
T1611Escape to Host
75%
“of the podman run process that is used to run the container. as a result, you can rely on standard uid separation to isolate your container processes from root or other users in the system. as i read about copy fail i did not find much information about its use in rootless contai…”
T1611Escape to Host
70%
“/ www / html # cat / test / *. txt i am bar cat : / test / foo. txt : permission denied cat : / test / root. txt : permission denied copy fail at this point we have a good grasp of how rootless containers rely on user namespaces and uids for process isolation, and linux capabilit…”
T1055.001Dynamic-link Library Injection
67%
“processes are running as root inside the user namespace though still as bar in the host. also, the exact same of capabilities persist across both shells : bar @ debian : ~ $ podman top copyfail huser, user, pid, args, capeff huser user pid command effective caps 1001 root 1 / bin…”
T1610Deploy Container
67%
“this note i reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container. this article ended up being a bit long so feel free to jump ahead to the relevant parts if you need to : - a practical review of rootl…”
T1610Deploy Container
65%
“fowner, fsetid, kill, net _ bind _ service, setfcap, setgid, setpcap, setuid, sys _ chroot 1001 root 10 sleep 60 chown, dac _ override, fowner, fsetid, kill, net _ bind _ service, setfcap, setgid, setpcap, setuid, sys _ chroot nonetheless, our root cannot yet access the mounted h…”
T1059.004Unix Shell
64%
“var / www / html run groupadd - g 1002 foo run useradd - s / bin / bash - g 1002 - u 1002 foo run chown root : foo / var / www / html workdir / var / www / html run cat > index. html < < html <! doctype html > < html lang = " en " > < / html > html user foo : foo expose 8000 cmd …”
T1611Escape to Host
58%
“60 none once again, foo is limited to reading its own file : $ cat / test / *. txt cat : / test / bar. txt : permission denied i am foo cat : / test / root. txt : permission denied this is much better. the container has been compromised but it ’ s still running as unprivileged us…”
T1610Deploy Container
58%
“su as the unprivileged container user : bar @ debian : ~ $ podman run - - rm - it - - name copyfail - v. / test : / test : rw localhost / copyfail / bin / bash foo @ 1eccd04fd2bd : / var / www / html $ su # id uid = 0 ( root ) gid = 1002 ( foo ) groups = 1002 ( foo ) hence, you s…”
T1611Escape to Host
56%
“fowner, fsetid, kill, net _ bind _ service, setfcap, setgid, setpcap, setuid, sys _ chroot 1001 root 10 sleep 60 chown, dac _ override, fowner, fsetid, kill, net _ bind _ service, setfcap, setgid, setpcap, setuid, sys _ chroot nonetheless, our root cannot yet access the mounted h…”
T1068Exploitation for Privilege Escalation
43%
“began with. all we have to do is add - - security - opt = no - new - privileges to our podman run command and repeat the exploit : bar @ debian : ~ $ podman run - - rm - it - - name copyfail - - security - opt = no - new - privileges - v. / test : / test : rw localhost / copyfail…”
T1190Exploit Public-Facing Application
40%
“began with. all we have to do is add - - security - opt = no - new - privileges to our podman run command and repeat the exploit : bar @ debian : ~ $ podman run - - rm - it - - name copyfail - - security - opt = no - new - privileges - v. / test : / test : rw localhost / copyfail…”
T1611Escape to Host
37%
“su as the unprivileged container user : bar @ debian : ~ $ podman run - - rm - it - - name copyfail - v. / test : / test : rw localhost / copyfail / bin / bash foo @ 1eccd04fd2bd : / var / www / html $ su # id uid = 0 ( root ) gid = 1002 ( foo ) groups = 1002 ( foo ) hence, you s…”
T1059.006Python
36%
“! doctype html > < html lang = " en " > < / html > rootless rootful let ’ s examine what this container process looks like. using ps i can confirm that this python3 process is owned by the user bar : root @ debian : ~ # ps - fc python3 uid pid ppid c stime tty time cmd bar 4861 4…”
T1611Escape to Host
32%
“podman rootless containers and the copy fail exploit podman rootless containers and the copy fail exploit on april 29th cve - 2026 - 31431 was publicly disclosed at https : / / copy. fail /. this vulnerability allows a local unprivileged user to obtain a root shell by running the…”

Summary

Comments