For this week's TTP Tuesday, we're providing a Docker container escape. This TTP demonstrates how to escape from a Docker container that can mount the host filesystem. Containers that are running in privileged mode share a namespace with the host system, so the root user within the container is effectively also root on the host system. If a container is running in privileged mode, an attacker may read, write, and execute files on the host system.
The issue affects any Docker container running with the
--privileged flag. Note that this is not a vulnerability in Docker code, but rather a common security misconfiguration of the Docker container.
Is my Docker container vulnerable to host filesystem mounting? TTP on each Docker container in your environment to test if you are vulnerable.
The TTP checks if the agent is running within a privileged Docker container. Next, it checks if the host filesystem can be mounted. Finally, it will attempt to establish persistence on the host via Unix shell configuration modification.
The recommended remediation is to not run Docker containers in privileged mode.
Check out the TTP Is my Docker container vulnerable to host filesystem mounting? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg