Exploiting Alpine Linux: From vulnerability discovery to code execution

Presented at BSidesDC 2017, Oct. 8, 2017, 10:30 a.m. (50 minutes).

Alpine is a Linux distribution promoted as lightweight and security-oriented. In the last years it has become widely popular, mainly thanks to it's use in containers. In fact Docker itself [has hired Alpine's creator](https://www.brianchristner.io/docker-is-moving-to-alpine-linux/) to migrate all official images from Ubuntu to alpine. The official alpine image has more than 10 million pulls! I've found [two critical vulnerabilities in apk](http://seclists.org/oss-sec/2017/q2/598) - alpine's package manager. In my talk I plan to explain how I found the vulnerabilities (by fuzzing specific functions), and demonstrate the exploitation process that finally lead to remote code execution. A full attack using the vulnerabilities consists of MITMing an alpine machine or container and providing it a malicious, carefully crafted update file (See teasers [1](https://asciinema.org/a/8ftsmf3yf2aiooh20p3wyrf38), [2](https://asciinema.org/a/124708)). I will also discuss the process of assigning CVE IDs, approaching the developers to responsibly issue fixes, and finally publicly disclosing the vulnerabilities.

Presenters:

  • Ariel Zelivansky - Security Researcher at Twistlock
    Ariel Zelivansky is a security researcher at Twistlock, dealing with hacking and securing anything related to containers. Ariel is a veteran of an elite Israeli intelligence unit, where he served in the role of a researcher.

Links:

Similar Presentations: