Exploiting Alpine Linux: From vulnerability discovery to code execution

Presented at BSidesDC 2017, Oct. 8, 2017, 10:30 a.m. (50 minutes)

Alpine is a Linux distribution promoted as lightweight and security-oriented. In the last years it has become widely popular, mainly thanks to it's use in containers. In fact Docker itself [has hired Alpine's creator](https://www.brianchristner.io/docker-is-moving-to-alpine-linux/) to migrate all official images from Ubuntu to alpine. The official alpine image has more than 10 million pulls! I've found [two critical vulnerabilities in apk](http://seclists.org/oss-sec/2017/q2/598) - alpine's package manager. In my talk I plan to explain how I found the vulnerabilities (by fuzzing specific functions), and demonstrate the exploitation process that finally lead to remote code execution. A full attack using the vulnerabilities consists of MITMing an alpine machine or container and providing it a malicious, carefully crafted update file (See teasers [1](https://asciinema.org/a/8ftsmf3yf2aiooh20p3wyrf38), [2](https://asciinema.org/a/124708)). I will also discuss the process of assigning CVE IDs, approaching the developers to responsibly issue fixes, and finally publicly disclosing the vulnerabilities.

Presenters:

• Ariel Zelivansky - Security Researcher at Twistlock
  Ariel Zelivansky is a security researcher at Twistlock, dealing with hacking and securing anything related to containers. Ariel is a veteran of an elite Israeli intelligence unit, where he served in the role of a researcher.

Links:

• https://bsidesdc2017.busyconf.com/schedule#activity_595370f7accd35799f000197
• https://www.youtube.com/watch?v=u5oVdmEV6ms

Similar Presentations:

• BSidesSF 2017 / How Secure are your Docker Images?
• AppSec USA 2016 / Breaking and Fixing your ‘Docker’ ized environments
• DEF CON 29 (2021) / PunkSPIDER and IOStation: Making a Mess All Over the Internet