With over 5 billion pulls from the Docker Hub, Docker is proving to be the most dominant technology in an exploding trend of containerization. An increasing number of production applications are now running inside containers; and to get to production, developers first use containers on their own machines. Docker offers its developer versions supporting Linux, Mac, and even Windows. To support Windows and Mac developers, Docker uses their respective hypervisors to run linux containers.
Developers are a prime target for attackers, as they often use less secure environment, are administrators on their own systems and have access to sensitive information. Developers running docker on their own machines, may have by default (as in the case of Docker for Windows) or by their own bad configuration, their RESTful docker API listening for TCP connections.
In this talk, we will break down a complex attack on docker developers. We first show how a developer visiting a malicious web page, will end up with a reverse shell to his internal network. We go several steps further and show how to remain persistent and stealthy on the developer machine without being detected.
To reach our end goal we use two new form of attacks: Host Rebinding and Shadow Containers. Host Rebinding will be used to bypass the Same Origin protection of browsers, while Shadow Containers is a persistency technique on the hypervisor using containers.
We will end the talk with practical methods of mitigation against such attacks. We will also revisit the industry stance on DNS-Rebinding protections and how they don't mitigate attacks from the local area network.