In the 1968 television series, the Prisoner, a former British intelligence agent is imprisoned on an island called ‘the Village’ with other former spies who “know too much.” Escape is near impossible for the prisoners, who are only referred to by their numbers.
We’ll assume the role of “Number Six” in this session and engage the audience in a game of escape. The only difference is that instead of a coastal island, our prison is within a Docker container.
We’re trapped in Play-with-Docker, Docker’s training and workshop playground website.
We’ll set out and try and escape the mock container in an effort to run code on the Docker host. The impact of container escape is similar to escape from a virtual machine, as both allow access to the underlying server. Running code on the Play-With-Docker server would allow an attacker unabridged root access to the Play-With-Docker infrastructure on one hand, and to all running containers on the other hand. Escaping a container may be regarded as the first step in an attack against an enterprise infrastructure, since many enterprises are running public-facing containers nowadays.
Containers is a very interesting field of research as far as security is concerned. Millions and millions of Linux containers are spun-up a day, some of them are privileged. Privileged containers are a breed of their own, and using the –privileged flag is only one of many ways to spin up a privileged container. Privileged containers may spin up as a result of necessity (e.g. some of Kubernetes containers are privileged) or as a result of a misconfiguration.
In this session we introduce the idea that privileged containers are an opening into an organization’s network and demonstrate some of the methods we found to exploit them, using the Play-with-Docker (https://labs.play-with-docker.com/) container website. Attendees will see how we use a number of different methods, such as loading a Linux kernel module into the Play-with-Docker kernel, exploiting devices present in the container to read and write host’s files, and more.