Hertz: Abusing privileged and unprivileged Linux containers
Hertz: Abusing privileged and unprivileged Linux containers
This
white paper by Jesse Hertz [PDF] examines various ways to compromise and
escape from containers on Linux systems. "A common configuration for
companies offering PaaS solutions built on containers is to have multiple
customers’ containers running on the same physical host. By default, both
LXC and Docker setup container networking so that all containers share the
same Linux virtual bridge. These containers will be able to communicate
with each other. Even if this direct network access is disabled (using the
–icc=false flag for Docker, or using iptables rules for LXC), containers
aren’t restricted for link-layer traffic. In particular, it is possible
(and in fact quite easy) to conduct an ARP spoofing attack on another
container within the same host system, allowing full middle-person attacks
of the targeted container’s traffic.
"