Docker security
Container breakouts : Abusing SYS_ADMIN capability
The SYS_ADMIN capability allows a container, inter alia, to perform the mount syscall. Here an example where the files stored in the root directory of the host system are retrieved by leveraging the additional capabilities provided to the container, in particular SYS_ADMIN capability. The attacker has already gained a command shell on the container.
In the next video, an attacker leverages SYS_ADMIN capability provided to the container to create a new user on the host system (using the command adduser on the mounted host file system) and then connect to him via SSH service to finally escape from the container. The attacker has already gained a command shell on the container.