Well, That Escalated Quickly! How Abusing Docker API Led to Remote Code Execution, Same Origin Bypass and Persistence in the Hypervisor via Shadow Containers

Explore a Black Hat conference talk that delves into the security vulnerabilities of Docker API and their potential for exploitation. Learn how abusing Docker API can lead to remote code execution, same-origin policy bypass, and persistence in hypervisors through shadow containers. Discover the risks associated with containerization technology, particularly in development environments. Examine attack vectors targeting Windows 10 and Docker for Windows/Mac, including browser security implications and Same Origin Policy violations. Investigate techniques such as reverse shell demonstrations, DNS rebinding, and host rebinding. Uncover advanced persistent threats like shadow containers and their potential for creating concealed, persistent access. Gain insights into mitigation strategies and understand the broader implications for container security in modern development practices.

aqua Well. That Escalated Quickly!
FOCUS
MENU
VIRTUAL MACHINES VS CONTAINERS
CONTAINERS EVERYWHERE
CONTAINER ADOPTION STATS
DEVELOPERS AS TARGETS
ATTACK OVERVIEW -WINDOWS 10
DOCKER 4 WINDOWS / MAC
BROWSER SECURITY
SAME ORIGIN POLICY (SOP)
DOCKER API CALLS THAT DON'T VIOLATE SOP
BUILD IMAGE API CALL → REVERSE SHELL DEMO
ABUSE DOCKER BUILD
DOCKER FIX
WHAT'S NEXT?
LIMITATIONS
DNS REBINDING - HISTORY
DNS REBINDING - HOW IT WORKS
WHY NOT USE DNS REBINDING?
ATTACKING LLMNR
HOST REBINDING DEMO
RECAP
MISSING PERSISTENCE & CONCEALMENT
PERSISTENT AND CONCEALED
SHADOW CONTAINER-SHUTDOWN SCRIPT
SHADOW CONTAINER - MYSCRIPT.SH
FULL ATTACK DEMO
ADVANCED PERSISTENT THREAT
SHADOW WORM
ATTACK FLAVORS
MITIGATION
BLACK HAT SOUND BYTES