Tactic: Privilege Escalation (ATK-TA0004)
Technique ID: SAF-T1303
Severity: Critical
First Observed: 2024 (see CVE-2024-21626)
Last Updated: 2025-08-30
This technique describes escaping a container sandbox by abusing container runtime "exec" behavior with a manipulated working directory. By supplying a path-traversal working directory (for example, using sequences like ../), an attacker may influence where the runtime resolves file paths and process context during exec, enabling access outside the intended container filesystem boundary.
In MCP environments, compromised or malicious tools/servers that orchestrate containerized tasks can craft runtime execution parameters that exploit this behavior. Once the sandbox is bypassed, the adversary can access host resources or processes, pivot to additional systems, and elevate privileges.
- Primary Vector: Malicious or compromised MCP server/tool invoking container runtime
execwith a traversal working directory. - Secondary Vectors:
- Vulnerable container runtime versions or misconfigurations
- Excessive host mounts or writable host paths exposed to containers
- MCP workflow that executes tasks inside containers using a runtime (e.g.,
runc) - Ability to influence or control
execparameters (working directory) via a tool/server - Vulnerable runtime or insecure runtime configuration
- Access: Attacker gains control of an MCP tool/server or tricks an operator into using a malicious one.
- Parameter Control: Attacker sets
execcurrent working directory (cwd) to a traversal path (for example,../../..). - Runtime Invocation: MCP workload triggers container runtime
execwith the crafted working directory parameter. - Boundary Violation: Runtime resolves paths outside the container filesystem, breaking isolation.
- Post-Exploitation: Attacker reads/writes host files, enumerates processes, or installs persistence.
{
"runtime": "runc",
"action": "exec",
"args": [
"--cwd", "../../..",
"--", "sh", "-c", "id; cat /etc/hostname"
],
"note": "Illustrative only; actual exploitation depends on runtime/version"
}According to public analyses of "Leaky Vessels" and related research on container escapes, attackers may:
- Use encoded or alternate traversal sequences to evade simple pattern checks.
- Target alternate runtimes or orchestrators where similar resolution bugs exist.
- Combine with host mount abuses to access sensitive paths more reliably.
- Confidentiality: High - Potential access to host files and secrets.
- Integrity: High - Host filesystem and processes may be modified.
- Availability: High - Host or cluster stability can be impacted.
- Scope: Adjacent/Network-wide - Breakout from one container to host enables lateral movement.
Container runtime vendors have released patches and guidance for path-resolution issues (see CVE references). Organizations should update to patched runtime versions and apply hardening guidance from vendor and community resources.
runc execor equivalent runtime invocations with traversal in working directory (e.g.,../,..\\).- Unexpected file access attempts on host paths shortly after container exec.
- Anomalous logs indicating container processes interacting with host-level resources.
Important: The standalone Sigma rule for this technique is provided in detection-rule.yml. It contains example patterns only. Attackers continuously develop new injection and obfuscation methods. Organizations should:
- Use behavioral analytics to profile normal container exec behavior
- Regularly update rules based on threat intelligence
- Employ multiple data sources (process, file, and container runtime telemetry)
- Sudden spikes in container exec events with unusual working directories
- Processes spawned in containers accessing host-specific paths or devices
- SAF-M-9: Sandboxed Testing: Run new/updated MCP tools/servers in tightly isolated environments; disable privileged modes and restrict host mounts during evaluation.
- SAF-M-6: Tool Registry Verification: Enforce provenance and review for tools/servers that can invoke container runtimes; verify configuration and runtime versions.
- SAF-M-14: Server Allowlisting: Limit which MCP servers may be attached or invoked, reducing exposure to malicious orchestrators.
- SAF-M-74: Per-Invocation Capability Brokering: Limit filesystem and syscall reach after a container boundary violation by applying per-invocation Landlock and seccomp profiles (does not substitute for patching vulnerable runtimes).
- SAF-M-12: Audit Logging: Log runtime invocations, including working directory and mount details, to support detection and forensics.
- SAF-M-11: Behavioral Monitoring: Alert on abnormal container
execpatterns and host-path access from containerized processes.
- Immediate Actions:
- Revoke access to suspected MCP servers/tools
- Quarantine affected hosts/nodes and rotate secrets
- Investigation Steps:
- Review runtime/audit logs for traversal indicators and host access
- Validate container runtime versions and configuration across fleet
- Remediation:
- Patch runtime and apply hardening guidance
- Reduce host mounts, remove unnecessary privileges, enforce policy
- Model Context Protocol Specification
- NVD: CVE-2024-21626
- Leaky Vessels: Container Escape Vulnerabilities - Wiz (2024)
| Version | Date | Changes | Author |
|---|---|---|---|
| 1.0 | 2025-08-30 | Initial documentation | Shekhar Chaudhary |