For this week's TTP Tuesday, we're providing a Docker container escape. This TTP demonstrates how to escape from a Docker container that has the Docker socket mounted within it. While there are practical reasons for mounting the Docker socket within a container, doing so exposes the host to this container escape technique. If a container is vulnerable, an attacker may be able to read and execute files on the host system.
The issue affects many public repositories that utilize Docker containers - a simple search for the Docker socket mount string “-v /var/run/docker.sock”
on GitHub shows more than 62,000 code results at the time of this writing. Note that this is not a vulnerability in Docker code, but rather a security misconfiguration of Docker container.
If you haven't recently audited your containers, there's a chance this misconfiguration may affect you!
Execute Operator's Is my Docker container vulnerable to a Docker socket escape?
TTP on each Docker container in your environment to test if you are vulnerable.
The chain checks if the agent is running within a Docker container. Next, it checks if the docker.sock
file exists in the filesystem. Finally, it will attempt to run a command on the host system to demonstrate the container escape.
The recommended remediation is to unmount docker.sock
from the container.
Check out the TTP Escape Docker container using Docker socket on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg
David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec