BruCON 0x0A

Containers have quickly become a standard feature of most application and infrastructure stacks. The benefits of containers are numerous, with ease of use being a primary motivator. This has seen adoption by numerous cloud service providers. Application containers are expected to be a $2.7bn market by 2020[1]. The most popular container solution, Docker, has had 14 million hosts accessing their public Docker Hub, pulling down 12 billion container images[2]. At least 40% of organizations using Docker are also using a container orchestration service such as Kubernetes, Mesos, Amazon ECS, or Google Container Engine[3]. 

Escaping these container solutions is seen as a hard problem, requiring kernel vulnerabilities, bespoke ROP chains, or framework flaws. This is not the case! In this talk we will explore, from an attacker's perspective, real-world exploitable setups we've encountered. We will demonstrate numerous container escapes, including exposed Docker daemons and Kubernetes API access in multi-tenant environments, weak Linux capability blacklists and seccomp bypasses. These are not theoretical vulnerabilities or contrived lab examples, but actual misconfigurations we've seen in large cloud service providers. 

Many container operators and developers don't understand the implication of certain configurations and the attack surface presented by the confluence of the container technology's surface area and Linux kernel and other subsystem interactions. Secure design and configuration of a container environment requires a deep understanding of Unix sockets, networking, namespaces, and an equally deep understanding of container RPC and orchestration endpoints. Small, easy to overlook missteps like using the wrong network namespace or exporting the wrong port, or overlooking one of the hundreds of Linux syscalls can have disastrous results. 

The talk will provide a methodology that security professionals can use when assessing containerized environments and we will demonstrate attacks against common deployments. We will also cover configuration recommendations for engineers to avoid these mistakes and tools you can use to check for a safe configuration.