The Journey From an Isolated Container to Cluster Admin in Service Fabric

Presented at DEF CON 30 (2022), Aug. 14, 2022, 1 p.m. (45 minutes)

Service Fabric is a scalable and reliable container orchestrator developed by Microsoft. It is widely used in Microsoft Azure as well as in Microsoft’s internal production environments as an infrastructure for containerized applications.

Developing a container orchestrator is not an easy task as it involves harnessing many technologies in a complicated and distributed environment. This complexity can ultimately lead to security issues. Such security issues can impose a critical risk since compromising an infrastructure allows attackers to escalate their privileges and take over an entire environment quickly and effectively.

In this session, Aviv will share his research on Service Fabric and his journey of escalating from an isolated container to cluster admin. He will go through researching the code and finding a zero-day vulnerability, explaining his exploitation process in Azure Service Fabric offering while dealing with race conditions and other limitations, and explain how it all allowed him to break out of his container to later gain full control over the underlying Service Fabric cluster.

In the end, he will share his thoughts on security in the cloud and his concerns on cloud multitenancy.


Presenters:

  • Aviv Sasson - Principal security researcher, Palo Alto Networks
    Aviv Sasson is a security research team lead in Palo Alto Networks under Prisma Cloud, specializing in cloud, network, and application security. He started his career in the Israeli intelligence forces and continued to work in the cyber security industry. He is fascinated by container and cloud security and is now working in the Prisma Cloud research team, finding security issues and zero days in the cloud ecosystem.

Links:

Similar Presentations: