Well that Escalated Quickly! How Abusing Docker API Led to Remote Code Execution Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers

Black Hat USA 2017

Presented by: Michael Cherny, Sagie Dulce
Date: Thursday July 27, 2017
Time: 15:50 - 16:40
Location: Lagoon DEFJKL

With over 5 billion pulls from the Docker Hub, Docker is proving to be the most dominant technology in an exploding trend of containerization. An increasing number of production applications are now running inside containers; and to get to production, developers first use containers on their own machines. Docker offers its developer versions supporting Linux, Mac, and even Windows. To support Windows and Mac developers, Docker uses their respective hypervisors to run linux containers.

Developers are a prime target for attackers, as they often use less secure environment, are administrators on their own systems and have access to sensitive information. Developers running docker on their own machines, may have by default (as in the case of Docker for Windows) or by their own bad configuration, their RESTful docker API listening for TCP connections.

In this talk, we will break down a complex attack on docker developers. We first show how a developer visiting a malicious web page, will end up with a reverse shell to his internal network. We go several steps further and show how to remain persistent and stealthy on the developer machine without being detected.

To reach our end goal we use two new form of attacks: Host Rebinding and Shadow Containers. Host Rebinding will be used to bypass the Same Origin protection of browsers, while Shadow Containers is a persistency technique on the hypervisor using containers.

We will end the talk with practical methods of mitigation against such attacks. We will also revisit the industry stance on DNS-Rebinding protections and how they don't mitigate attacks from the local area network.

Michael Cherny

Michael Cherny is head of security research at Aqua, the leading security platform for container environments. Michael has more than 20 years of experience in the software industry, specializing in security products. Prior to Aqua, he has held senior security research positions at Microsoft, Aorato and Imperva. Michael is a regular speaker at security conferences, among them BlackHat Europe, RSA Europe and Virus Bulletin.

Sagie Dulce

Sagie Dulce is a Cyber Security researcher with over 10 years of experience. Sagie started his cyber security career in the intelligence unit 8200 of the IDF, where he performed mostly offense research. From there, Sagie moved to the private sector in Imperva; focusing on defenses against advanced attacks. Sagie is currently working for Aqua Security, where he explores new defenses and attacks in the virtualized container sphere.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats