This article reviews container escape techniques in cloud environments and how to detect them from an endpoint perspective. It covers user-mode helpers, SUID privilege escalation, runtime sockets, log mounts, and sensitive mounts, with real-world detection examples and testing across container runtimes. Hashtags: #containerescape #Docker #CVE-2019-5736 #DEEPCE #CortexXDR #Kubernetes #containerd #release_agent #SUID #runtime_sockets #log_mounts #sensitive_mounts #Unit42
Keypoints
- Container escapes pose a notable security risk in cloud environments, especially since many containers are internet-facing and may be misconfigured or vulnerable.
- The article outlines five concrete container-escape techniques: user-mode helpers (release_agent), privilege escalation via SUID/GUID, runtime sockets, log mounts, and sensitive mounts.
- Example 1 (User-Mode Helpers) details how the kernel can be tricked into launching a user-mode program with root privileges via release_agent and related cgroup mechanisms.
- Example 2 (SUID) describes creating a host-shared executable with the SUID bit to execute on the host with root privileges from inside the container.
- Example 3 (Runtime Sockets) explains how interacting with the container runtime via Unix sockets (e.g., docker.sock) can spawn a privileged container that escapes to the host.
- Example 4 (Log Mounts) covers a Kubernetes pod escape through host log mounts by manipulating symlinks in /var/log to access host files such as /etc/shadow.
- Example 5 (Sensitive Mounts) focuses on misconfigured mounts that map host directories (e.g., /etc) into a container, enabling access to sensitive host files.
- The article also notes testing with containerd as the runtime and emphasizes detection and protection across multiple runtimes, with Cortex XDR as a primary example.
MITRE Techniques
- [T1068] Privilege Escalation β The kernel-based user-mode helper (call_usermodehelper) enables elevation by executing a user-mode program with root privileges via the kernel. β[The] call_usermodehelper function prepares and initiates a user-mode application directly from the kernel, enabling the kernel to execute any program in user-mode with elevated privileges.β]
- [T1068] Privilege Escalation β SUID/GUID-based host escalation through a containerShared directory, enabling host root execution from inside the container. β[This technique enables a user that already has limited permissions on the host to execute a program on the host with root privileges from within the container.β]
- [T1068] Privilege Escalation β Runtime sockets used to create a privileged container and escape to the host via the container runtime API. β[This technique allows an attacker to create a new privileged container on the same host, then use that new container to escape to the host.β]
- [T1068] Privilege Escalation β Log mount manipulation (symlink-based) to access host files like /etc/shadow via Kubernetes pod logs. β[Manipulating the symlink destination from the log file to /etc/shadow, for example, an attacker can access the hostβs /etc/shadow file.]β
- [T1068] Privilege Escalation β Sensitive mounts enabling access to host directories (e.g., /etc) from within a container, potentially exposing host files. β[The required action for this technique is merely to discover and access these sensitive mounts within misconfigured containers.]β]
Indicators of Compromise
- [Unix Socket] context β /var/run/docker.sock, and related runtime socket access to container runtime APIs (e.g., Docker REST API). Example: βcurl βunix-socket /var/run/docker.sock http://localhost/containers/jsonβ.
- [Host File] context β /etc/shadow and /etc/passwd referenced as sensitive host files accessed via mounts or symlinks (e.g., root_host/etc/passwd).
- [File/Executable] context β deepce.sh, release_agent as files used to perform container escapes. Example: βrelease_agentβ and βdeepce.shβ.
- [CVE] context β CVE-2019-5736 mentioned in related content about runC vulnerabilities that could enable escapes.
- [Domain/URL] context β GitHub DEEPCE repository (https://github.com/stealthcopter/deepce) and Unit 42 container-escape techniques page (https://unit42.paloaltonetworks.com/container-escape-techniques/).
- [Symlink] context β symlink-based access in /var/log pointing to host files (e.g., /var/log symlink to host_root/etc/passwd).
Read more: https://unit42.paloaltonetworks.com/container-escape-techniques/