Docker security

Container breakouts : Mounted Docker Socket

To enable services running inside the container to communicate with Docker daemon, it's a very common practice to mount the Docker UNIX socket inside the container. However, every time you have access to the Docker Socket (default location: /var/run/docker.sock) it's like you are root on the host because this socket is used to manage local Docker deamons (owned by the root on the host system). As soon you have access to the socket, you can manage the local system.

So if you want to escalate from the container to the system, you can interact with the Docker Socket.

In the following video, The attacker leverages the mounted Docker socket in the container to get access to the host machine and retrieves files in the root directory. The attacker has already gained a command shell on the container.