SBA Security Meetup: I want to break free - The attacker inside a Container
1 like116 views
The document discusses security aspects of containerized environments, specifically regarding Apache, MySQL, and Nextcloud vulnerabilities. It covers topics such as privilege escalation, isolation concepts, and mandatory access control, providing insights into potential attack vectors and mitigation strategies. It emphasizes the importance of container hygiene and security configurations to prevent exploitation.
![Classification: Public 55
Seccomp BPF (filter syscalls)
• Create a BPF script via macros
• Load it via a syscall into the Kernel
SBA Research gGmbH, 2020
/* Allow system calls other than open() and openat() */
struct sock_filter filter[] = {
...
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0),
BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW),
BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS)
}
struct sock_fprog prog = { .filter=filter, .len=... };
syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);](https://image.slidesharecdn.com/sbameetupiwanttobreakfree-201130085213/85/SBA-Security-Meetup-I-want-to-break-free-The-attacker-inside-a-Container-37-320.jpg)
![Classification: Public 58
Example: BPF to kill proceses using syscalls
SBA Research gGmbH, 2020
# docker run -it --security-opt
seccomp=profile.json ...
{
"defaultAction":"SCMP_ACT_ALLOW",
"syscalls":[
{
"names":[
"bind",
"connect",
"mkdir"
],
"action":"SCMP_ACT_KILL",
Docker](https://image.slidesharecdn.com/sbameetupiwanttobreakfree-201130085213/85/SBA-Security-Meetup-I-want-to-break-free-The-attacker-inside-a-Container-38-320.jpg)
SBA Security Meetup: I want to break free - The attacker inside a Container
- 2. Classification: Public 3 Theme SBA Research gGmbH, 2020
- 3. Classification: Public 6 apache2/ fpm mysql reverse proxy Linux Kernel
- 4. Classification: Public 7 Nextcloud: Known Vulnerabilties SBA Research gGmbH, 2020
- 5. Classification: Public 8SBA Research gGmbH, 2020 Container Image
- 6. Classification: Public 9 Container (Linux Process) Virtual Machine (Node /Pod/…) Registry Container Image
- 7. Classification: Public 10 Structure in this talk • What can we do inside? • Can we break out? • What‘s protecting us? • How can we restrict even further? SBA Research gGmbH, 2020 Linux Kernel Apache (nextcloud) mysql https://media.springernature.com/original/springer-static/image/chp%3A10.1007%2F978-3-662-53899-9_5/MediaObjects/418677_2_De_5_Fig4_HTML.jpg
- 8. Classification: Public 11 Remote Code Exection Attacks SBA Research gGmbH, 2020 apache <www-data> /usr/bin/id /bin/sh apache <root> tcp/80 tcp/443
- 9. Classification: Public 12 Filesystem SBA Research gGmbH, 2020
- 10. Classification: Public 13 Config in Files SBA Research gGmbH, 2020 config/config.php
- 11. Classification: Public 14 Secrets in Env SBA Research gGmbH, 2020 apache <www-data> /bin/sh apache <root> inheritance
- 12. Classification: Public 15 A look on the inner workings SBA Research gGmbH, 2020
- 13. Classification: Public 16 On the inside SBA Research gGmbH, 2020
- 14. Classification: Public 17 Drop of privileges (resuid, drop privileges) • The forked process SBA Research gGmbH, 2020 apache <www-data> apache <root> tcp/80 tcp/443 https://iximiuz.com/en/posts/journey-from-containerization- to-orchestration-and-beyond/#container-runtimes
- 15. Classification: Public 18 Capabilities • CAP_CHOWN • CAP_DAC_OVERRIDE • CAP_NET_ADMIN • CAP_NET_BIND_SERVICE • CAP_NET_RAW • CAP_SYS_ADMIN • CAP_SYS_BOOT • CAP_SYS_CHROOT • … expressed as bitmask in /proc/$$/status SBA Research gGmbH, 2018 https://www.andreasch.com/2018/01/13/capabilities/ # setcap cap_net_bind_service+ep /usr/sbin/apache Extended attribute apache <www-data> apache <www-data> tcp/80 tcp/443 /usr/sbin/apache2
- 16. Classification: Public 22 Isolation Concepts Can we break out? SBA Research gGmbH, 2020
- 17. Classification: Public 23 SSHd apache2 mysql
- 18. Classification: Public 24 Namespaces SBA Research gGmbH, 2020 pid mnt net user …
- 19. Classification: Public 25 „Container“ Apache2 Pid 1 (pid) https://www.ebay.com/itm/Kenley-Mini-Sandbox-for-Desk-Miniature-Beach-Zen-Garden-Sand-Toys-Play-Kit-/253472884998 Linux Kernel File system (mnt) Network Interface (net) Apache worker (pid 5) data
- 20. Classification: Public 26 Unshare (1) SBA Research gGmbH, 2020
- 21. Classification: Public 29 lsns SBA Research gGmbH, 2020
- 22. Classification: Public 30 Mount Namespace SBA Research gGmbH, 2020 mounted „root“ filesystem The new /proc /sysfs /dev /run
- 23. Classification: Public 33 Example: root shell in a container (alpine) SBA Research gGmbH, 2020
- 24. Classification: Public 34 Suid in Containers? SBA Research gGmbH, 2020
- 25. Classification: Public 35 Attack Surface: DACL, CAP SBA Research gGmbH, 2020 syscall, e.g. mount /bin/sh <root> task (process) runs as user id 1002 (www-data) has not effective uid 0 (root) => permission denied has not CAP_SYS_ADMIN capabilitiy set => permission denied syscall, e.g. read Linux Kernel task (process) runs as user id 1002 (www-data) has access to /dev/sda1 (brw-rw---- 1 root disk 8 /dev/sda1) = file not found syscall, e.g. mknod has not CAP_SYS_ADMIN capabilitiy set => permission denied
- 26. Classification: Public 37 $ docker run --rm -it alpine SBA Research gGmbH, 2020 $ sudo capsh --decode=00000000a80425fb 0x00000000a80425fb=cap_chown,cap_dac_override,cap_fowner, cap_fsetid,cap_kill,cap_setgid,cap_sesys_chroot,cap_mknod ,cap_audit_write,cap_setfcap CAP_SYS_ADMIN is missing
- 27. Classification: Public 39 Capabilities (from Docker running root shell) SBA Research gGmbH, 2018 https://man7.org/linux/man-pages/man7/capabilities.7.html # sudo capsh --decode=00000000a80425fb cap_chown,cap_dac_override,cap_fowner,cap_fsetid,ca p_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_ service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_a udit_write,cap_setfcap
- 28. Classification: Public 40 $ docker run --cap-add=CAP_SYS_ADMIN -it alpine SBA Research gGmbH, 2020 sudo capsh --decode=00000000a82425fb 0x00000000a82425fb=cap_chown,cap_dac_override,cap_fo wner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_s etpcap,cap_net_bind_service,cap_net_raw,cap_sys_chro ot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfc ap
- 29. Classification: Public 43 Privileged Containers SBA Research gGmbH, 2020
- 30. Classification: Public 46 Local Privilege Escalation (Kernel Bug) • Dirty Cow CVE-2016-5195 • map_write() CVE-2018-18955 • … SBA Research gGmbH, 2020
- 31. Classification: Public 47 Restriction of Actions Enforcing Mandatory Access Control SBA Research gGmbH, 2020 https://kirby-live-radio.fandom.com/wiki/Sandbox_page
- 32. Classification: Public 48 Mandatory Access Control SBA Research gGmbH, 2020 AppArmor SELinux process /etc/passwd /bin/sh 1.1.1.1:80
- 33. Classification: Public 50 Quick Fix with AppArmor • /etc/apparmor.d/usr.sbin.apache2 SBA Research gGmbH, 2018 profile docker-nextcloud flags=(attach_disconnected,mediate_deleted) { ... deny /bin/dash x, ... } read (r), write (w), append (a) link (l) lock (k) mmap (m) execute (ix) child profile (Cx) profile (Px) unconfined (Ux) /** recursive # apparmor_parser -r -W docker-nextcloud # aa-complain docker-nextcloud # docker run --rm -it --security-opt "apparmor=docker-nextcloud" nextcloud # aa-enforce docker-nextcloud
- 34. Classification: Public 51 SecComp Filter syscalls SBA Research gGmbH, 2020
- 35. Classification: Public 52 Syscall Interface SBA Research gGmbH, 2020 Kernel syscall apache2 files memory process fstat(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(0x88, 0), ...}) = 0 openat(AT_FDCWD, "/etc/passwd", O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=2431, ...}) = 0 fadvise64(3, 0, 0, POSIX_FADV_SEQUENTIAL) = 0 mmap(NULL, 139264, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f60e0a40000 read(3, "root:x:0:0:root:/root:/bin/bashn"..., 131072) = 2431 write(1, "root:x:0:0:root:/root:/bin/bashn"..., 2431) = 2431 read(3, "", 131072) = 0 close(3) = 0 # /bin/cat /etc/passwd
- 36. Classification: Public 53SBA Research gGmbH, 2020 http://man7.org/linux/man-pages/man2/syscalls.2.html
- 37. Classification: Public 55 Seccomp BPF (filter syscalls) • Create a BPF script via macros • Load it via a syscall into the Kernel SBA Research gGmbH, 2020 /* Allow system calls other than open() and openat() */ struct sock_filter filter[] = { ... BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_open, 2, 0), BPF_JUMP(BPF_JMP | BPF_JEQ | BPF_K, __NR_openat, 1, 0), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_ALLOW), BPF_STMT(BPF_RET | BPF_K, SECCOMP_RET_KILL_PROCESS) } struct sock_fprog prog = { .filter=filter, .len=... }; syscall(__NR_seccomp, SECCOMP_SET_MODE_FILTER, 0, &prog);
- 38. Classification: Public 58 Example: BPF to kill proceses using syscalls SBA Research gGmbH, 2020 # docker run -it --security-opt seccomp=profile.json ... { "defaultAction":"SCMP_ACT_ALLOW", "syscalls":[ { "names":[ "bind", "connect", "mkdir" ], "action":"SCMP_ACT_KILL", Docker
- 39. Classification: Public 61 apache2/ fpm mysql reverse proxy
- 40. Classification: Public 63 Final Remarks SBA Research gGmbH, 2020 0) Don‘t break your own stuff 1) Container Image Hygene (permissions, users, capabilities) 2) Orchestrator Configuration (volumes, capabilities) 3) Platform security: LPE on Linux Kernel (VM, PaaS) *) Don‘t aim too high! https://github.com/netblue30/firejail https://github.com/flatpak/flatpak https://github.com/containers/bubblewrap https://source.android.com/security/app-sandbox
- 41. Classification: Public 64 Whatever you do, you have to watch closely … SBA Research gGmbH, 2020 https://www.domradio.de/themen/corona/2020-08-12/was-hat-corona-mit-kindern-und-kindergaerten-gemacht-kindergartenleiterin-ueber-den-lockdown-und
- 42. Classification: Public 65 Professional Services Penetration Testing Architecture Reviews Security Audit Security Trainings Incident Response Readiness ISMS & ISO 27001 Consulting Forschung & Beratung unter einem Dach Applied Research Industrial Security | IIoT Security | Mathematics for Security Research | Machine Learning | Blockchain | Network Security | Sustainable Software Systems | Usable Security SBA Research Knowhow Transfer SBA Live Academy | sec4dev | Trainings | Events | Teaching | sbaPRIME Kontaktieren Sie uns: anfragen@sba-research.org Reinhard Kugler rkugler@sba-research.org