Docker security

Container breakouts : Abusing DAC_OVERRIDE capability

DAC_OVERRIDE allows a container to bypass file read, write, and execute permission checks. Combined with DAC_READ_SEARCH capability, it can be exploited to escape a container using a famous exploit named Shocker.

In the following video, an attacker leverages DAC_READ_SEARCH and DAC_OVERRIDE capability provided in the container to become root on the linux host system.