For this week's TTP Tuesday, we're providing two Docker container escapes and a Docker container privilege escalation. These TTPs demonstrate how to escape from a Docker container using a cgroup controller release_agent
, and to elevate privilege within a container by abusing hostPID
permission. If a container is vulnerable, an attacker may be able to spawn a root shell on the host system.
Cgroups are a Linux kernel feature used to create hierarchical process groups. Linux kernel subsystems use these to modify the process behavior of processes groups, such as limiting the resources allocated to those processes.
A cgroup becomes empty when there are no running processes within it and when it has no child cgroups. When this happens, the cgroup's releaseagent
is invoked and performs whatever action is stored in the releaseagent
file.
By manipulating a cgroup's release_agent
file, it's possible to perform a container escape to the host system.
Note that this is not a vulnerability in Docker code, but rather a common security misconfiguration of Docker containers.
Execute Operator's Is my Docker container vulnerable to cgroup controller escapes?
chain on each Docker container in your environment to test if you are vulnerable.
The chain tests two Docker cgroup controller escapes that will start a privileged Pneuma agent on the Docker host, and a privilege escalation that requires the hostPid
flag enabled.
The recommended remediation is to not run containers in privileged mode.
Check out the TTP Is my Docker container vulnerable to cgroup controller escape? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec