module

Docker cgroups Container Escape

Try Surface Command
Back to search
Disclosed
2022-02-04
Created
2023-12-06

Description

This exploit module takes advantage of a Docker image which has either the privileged flag, or SYS_ADMIN Linux capability.
If the host kernel is vulnerable, its possible to escape the Docker image and achieve root on the host operating system.

A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the kernel/cgroup/cgroup-v1.c function.
This flaw, under certain circumstances, allows the use of the cgroups v1 release_agent feature to escalate privileges
and bypass the namespace isolation unexpectedly.

More simply put, cgroups v1 has a feature called release_agent that runs a program when a process in the cgroup terminates.
If notify_on_release is enabled, the kernel runs the release_agent binary as root. By editing the release_agent file,
an attacker can execute their own binary with elevated privileges, taking control of the system. However, the release_agent
file is owned by root, so only a user with root access can modify it.

Authors

h00die
Yiqi Sun
Kevin Wang
T1erno

Platform

Linux,Unix

References

Module Options

To display the available options, load the module within the Metasploit console and run the commands ‘show options’ or ‘show advanced’:


    msf > use exploit/linux/local/docker_cgroup_escape
    msf exploit(docker_cgroup_escape) > show targets
        ...targets...
    msf exploit(docker_cgroup_escape) > set TARGET < target-id >
    msf exploit(docker_cgroup_escape) > show options
        ...show and set options...
    msf exploit(docker_cgroup_escape) > exploit
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today