Docker container escape refers to the process and result in which the attacker has obtained the command execution capability under certain permissions in the container by hijacking the containerized business logic or direct control; because docker uses isolation technology , so the process inside the container cannot see the outside process, but the outside process can see inside, so if a container can access outside resources, or even obtain the permissions of the host host, this is called "Docker escape".
The operating environment of this tutorial: linux7.3 system, docker version 19.03, Dell G3 computer.
What is docker container escape
"Container escape" refers to such a process and result:First, the attacker hijacks the containerized business logic, Or direct control (CaaS and other scenarios where container control is legally obtained), etc., have obtained the command execution capability under certain permissions in the container;
Attackers use this command execution capability to Some methods further obtain certain permissions on the direct host where the container is located (we often see the scenario of "a physical machine runs a virtual machine, and the virtual machine then runs the container". The direct host in this scenario refers to the virtual machine outside the container). command execution capabilities.
Because Docker uses isolation technology, the process inside the container cannot see the outside process, but the outside process can see inside, so if a container can access the outside process resources, or even obtain the permissions of the host host. This is called "Docker escape".
There are currently three reasons for Docker escape:
Caused by kernel vulnerabilities.
#Caused by Docker software design.
# Caused by improper privilege mode and configuration.
The following is a brief explanation of these three escape methods.
1. Escape caused by kernel vulnerability
Because Docker is a directly shared host host kernel, when there is a security vulnerability in the host host kernel, it will also be affected Docker security may cause Docker to escape. The specific process is as follows:
Use the kernel vulnerability to enter the kernel context
Obtain the task struct of the current process
Backtrace the task list to obtain the task struct with pid = 1 and copy its related data
Switch the current namespace
Open the root shell and complete the escape
2. Escape caused by Docker software design
A typical example is Docker’s standardized container execution engine----runc. Runc was exposed to a Docker escape vulnerability CVE-2019-5736 in February 2019. The principle of the vulnerability is that Docker, Containerd or other runc-based programs are prone to security vulnerabilities at runtime. An attacker can obtain the file handle when the host runc executes the file through a specific container image or exec operation and modify the runc binary file. , thereby obtaining the root execution permission of the host machine, causing Docker to escape.
3. Escape caused by directory mounting in privileged mode
This escape method is more commonly used than the other two. Privileged mode was introduced to Docker in version 6.0. Its core function is to allow root in the container to have root permissions on the external physical machine. Previously, the root user in the container only had the permissions of ordinary users on the external physical machine.
After starting the container in privileged mode (docker run --privileged), the Docker container is allowed to access all devices on the host, can obtain access rights to a large number of device files, and can execute the mount command to mount.
When controlling a container using privileged mode, the Docker administrator can mount the external host disk device into the container through the mount command to obtain file read and write permissions for the entire host. In addition, he can also write Execute commands on the host machine by entering scheduled tasks and other methods.
In addition to using privileged mode to start Docker, which will cause Docker to escape, using functional mechanisms will also cause Docker to escape. The Linux kernel has introduced functional mechanisms (Capabilities) since version 2.2, breaking the concepts of super users and ordinary users in UNIX/LINUX operating systems, allowing ordinary users to execute commands that can only be run with super user privileges. For example, when the container is started with --cap-add=SYSADMIN, the Container process is allowed to execute a series of system management commands such as mount and umount. If the attacker mounts the external device directory in the container at this time, Docker escape will occur.
Recommended learning: "docker video tutorial"
The above is the detailed content of What is docker container escape. For more information, please follow other related articles on the PHP Chinese website!
How to start containers by dockerApr 15, 2025 pm 12:27 PMDocker container startup steps: Pull the container image: Run "docker pull [mirror name]". Create a container: Use "docker create [options] [mirror name] [commands and parameters]". Start the container: Execute "docker start [Container name or ID]". Check container status: Verify that the container is running with "docker ps".
How to view logs from dockerApr 15, 2025 pm 12:24 PMThe methods to view Docker logs include: using the docker logs command, for example: docker logs CONTAINER_NAME Use the docker exec command to run /bin/sh and view the log file, for example: docker exec -it CONTAINER_NAME /bin/sh ; cat /var/log/CONTAINER_NAME.log Use the docker-compose logs command of Docker Compose, for example: docker-compose -f docker-com
How to check the name of the docker containerApr 15, 2025 pm 12:21 PMYou can query the Docker container name by following the steps: List all containers (docker ps). Filter the container list (using the grep command). Gets the container name (located in the "NAMES" column).
How to create containers for dockerApr 15, 2025 pm 12:18 PMCreate a container in Docker: 1. Pull the image: docker pull [mirror name] 2. Create a container: docker run [Options] [mirror name] [Command] 3. Start the container: docker start [Container name]
How to exit the container by dockerApr 15, 2025 pm 12:15 PMFour ways to exit Docker container: Use Ctrl D in the container terminal Enter exit command in the container terminal Use docker stop <container_name> Command Use docker kill <container_name> command in the host terminal (force exit)
How to copy files in docker to outsideApr 15, 2025 pm 12:12 PMMethods for copying files to external hosts in Docker: Use the docker cp command: Execute docker cp [Options] <Container Path> <Host Path>. Using data volumes: Create a directory on the host, and use the -v parameter to mount the directory into the container when creating the container to achieve bidirectional file synchronization.
How to start mysql by dockerApr 15, 2025 pm 12:09 PMThe process of starting MySQL in Docker consists of the following steps: Pull the MySQL image to create and start the container, set the root user password, and map the port verification connection Create the database and the user grants all permissions to the database
How to restart dockerApr 15, 2025 pm 12:06 PMHow to restart the Docker container: get the container ID (docker ps); stop the container (docker stop <container_id>); start the container (docker start <container_id>); verify that the restart is successful (docker ps). Other methods: Docker Compose (docker-compose restart) or Docker API (see Docker documentation).
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SublimeText3 Chinese version
Chinese version, very easy to use
Atom editor mac version download
The most popular open source editor
VSCode Windows 64-bit Download
A free and powerful IDE editor launched by Microsoft
Zend Studio 13.0.1
Powerful PHP integrated development environment
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
