Well, that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers

Presented at Black Hat USA 2017, July 27, 2017, 3:50 p.m. (50 minutes)

With over 5 billion pulls from the Docker Hub, Docker is proving to be the most dominant technology in an exploding trend of containerization. An increasing number of production applications are now running inside containers; and to get to production, developers first use containers on their own machines. Docker offers its developer versions supporting Linux, Mac, and even Windows. To support Windows and Mac developers, Docker uses their respective hypervisors to run linux containers. Developers are a prime target for attackers, as they often use less secure environment, are administrators on their own systems and have access to sensitive information. Developers running docker on their own machines, may have by default (as in the case of Docker for Windows) or by their own bad configuration, their RESTful docker API listening for TCP connections. In this talk, we will break down a complex attack on docker developers. We first show how a developer visiting a malicious web page, will end up with a reverse shell to his internal network. We go several steps further and show how to remain persistent and stealthy on the developer machine without being detected. To reach our end goal we use two new form of attacks: Host Rebinding and Shadow Containers. Host Rebinding will be used to bypass the Same Origin protection of browsers, while Shadow Containers is a persistency technique on the hypervisor using containers. We will end the talk with practical methods of mitigation against such attacks. We will also revisit the industry stance on DNS-Rebinding protections and how they don't mitigate attacks from the local area network.

Presenters:

• Michael Cherny - Head of Research, Aqua Security
  Michael Cherny is head of security research at Aqua, the leading security platform for container environments. Michael has more than 20 years of experience in the software industry, specializing in security products. Prior to Aqua, he has held senior security research positions at Microsoft, Aorato and Imperva. Michael is a regular speaker at security conferences, among them BlackHat Europe, RSA Europe and Virus Bulletin.
• Sagie Dulce - Senior Security Researcher, Aqua Security
  Sagie Dulce is a Cyber Security researcher with over 10 years of experience. Sagie started his cyber security career in the intelligence unit 8200 of the IDF, where he performed mostly offense research. From there, Sagie moved to the private sector in Imperva; focusing on defenses against advanced attacks. Sagie is currently working for Aqua Security, where he explores new defenses and attacks in the virtualized container sphere.

Links:

• https://www.blackhat.com/us-17/briefings/schedule/#well-that-escalated-quickly-how-abusing-docker-api-led-to-remote-code-execution-same-origin-bypass-and-persistence-in-the-hypervisor-via-shadow-containers-6664
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass & more.mp4
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2017/How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass & more.en.transcribed.srt (subtitles)
• https://www.youtube.com/watch?v=w7tAfIlMIa0
• https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence.pdf
• https://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdf

Similar Presentations:

• Texas Cyber Summit 2019 / DK-1016 Docker Security Workshop
• BSidesLV 2015 / Pentesting with Docker
• AppSec USA 2016 / Breaking and Fixing your ‘Docker’ ized environments