|Container||Container||Lateral Movement, TA0008|
Container escape via the
containerd.sock file that allows executing a binary into another container.
containerd.sock (or other equivalent - see the list below) is mounted inside a container, it allows the container to interact with container runtime. Therefore an attacker can execute any command in any container present in the cluster. This allows an attacker to do some lateral movement across the cluster.
Execution within a container process with the following unix socket being (or any parent directory) being mounted inside the container:
:rotating_light: sockets mounted as readonly can still be used for this attack. :rotating_light: This can be demonstrated as follows:
See the example pod spec.
Look for any socket being mounted in the container by running a simple find command:
To exploit this vulnerability, we will use a CLI for Kubelet Container Runtime Interface (CRI) provided by Google for debugging purposes: crictl.
This tools allows to interact with Kubernetes using a unix socket:
Once you have the path for the mounted socket, configure
crictl to use it:
Once everything is configured, you should be able to run command on another container of your choice.
To list all the pods:
Executing a command on another pod:
-s is important otherwise,
crictl will try to use the http endpoint to run the command, resulting in errors like:
With crictl you can also access sensitive information:
crictl inspect: access env variable from any container
crictl logs: retrieve all the logs from any container
Implement security policies
Use a pod security policy or admission controller to prevent or limit the creation of pods with a
hostPath mount for the following locations: