Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers

Pierluigi Paganini November 29, 2018

Exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community.

Preface

IT industry has seen quite a few transformations in last couple of decades with advent of disruptive technologies. Back in 2000, every aspiring student wanted to become computer /IT engineer, thanks to “.com” boom that was storming the IT industry back in those days.  After a few years, IT industry disrupted big time again with the dawn of Virtualization.

Inception of Cloud technologies, in last few years, has completely changed the way we perceive and manage IT. Who would have thought 20 years back that all of the IT Infrastructure could be generated by just a few lines of code?

Recently, with the rise of DevOps, backed by these latest disruptive advancements, the IT industry once again getting redefined its way of working. Today, every organization in the industry is keen to embrace this Digital Transformation journey to leverage the benefits provided by DevOps by adopting it. DevOps practices are offering enormous capability of rapidly delivering products by reforming and automating the CI/CD pipeline. The DevOps practices make deployment way efficient and standardized by providing speed, consistency and scalability. The field of IT is again going through a big transformation and we all are a part of this journey. At the same time, the cyber security industry is also moving very quickly to keep pace with the technology disruptions. The ways & means of delivering effective cyber security have gone through radical changes in last 6 -7 years to ensure security in this dynamic environment. Meanwhile, the rise of DevOps has given a birth to DevSecOps to ensure security in CI/CD pipeline.

The use of containers has become prevalent with a rise of DevOps era. Containers are dynamic & ephemeral by nature. Anything which is ephemeral is hard to get visibility on and if it is not visible then it is hard to secure. Traditional security measures may or may not work effectively to secure such a dynamic infrastructure. There are several challenges related to container security; and there are commercial and opensource solutions in the market to handle these newborn challenges.

In this article, I am exploring the open API abuse for Docker Containers. Docker is a popular container product which has been adopted widely by the community. Docker has both community and enterprise editions. Docker comes with quite a few security features with it, however, misconfiguration by admins/users of the Dockers may leave them vulnerable and open to exploit.

Need of an API

By default, when the Docker is installed, API is not exposed to the outside world. It is only accessible through loopback interface of the container. Exposing API may be required to leverage the application like Portainer which is used to manage containers on that host or on the remote hosts.

How to open API in Docker for CentOS?

Opening of API may get slightly tricky based on the operating system that you are using. Please follow the following steps to open an API on CentOS 7, provided that the Docker engine is already installed.

Update the file:  /etc/systemd/system/docker.service.d/docker.conf with the following commands

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

Note: If directory or file is missing under /etc/systemd/system then create it manually.

Docker

Restart the docker service using systemd commands:

sudo systemctl daemon-reload
sudo systemctl restart docker

You can verify if the configuration is working as expected by calling

Ps –ef | grep docker

Docker

How to connect to open API?

Following Docker command is used to hook in to open API on the remote host. Just by nudging the API with a standard curl command you will get following information (see the screenshot).

Curl –s <remote_ip>:2375/2376 | jq

Docker

What can(not) we do with Open API?

Once we get the open API on a remote docker_host, all the docker commands can be run on the remote hosts.  Using Docker commands, all sorts of docker operations & management can be performed on the remote host for Dockers –  ranging from Information gathering about Docker host to pulling the cryptominer image and running it as a rogue container on the remote host.

I have created a demo set-up to demonstrate a few of these examples

I have expose API on one of the CentOS boxes –  10.113.12.119 – as per the steps mentioned in the above section. I will connect to this machine using this Open API on port 2375 (Docker).

Information Gathering

Docker

List the images stored on the machine

Docker

List all containers on the machineDocker

Run/Launch the container on the remote machine / Spwaning a shell via exec command

Docker

List running containers on the machine

Docker

Run any command with root privilege on any of the running containers

Docker

Pull any image from the public repository and run that as a container on the remote hostDocker

Docker

Open Docker API on the Internet

If you explore Shodan search engine for Open API then you find that more than 1000 hosts are having their Docker API exposed on the Internet.

Docker

I have pulled down sample approx. 500 hosts using Shodan API and done some analytics on these 500 hosts to know the spread pattern of these open APIs.

Docker

By looking at the chart above, we can say that, China & United States shares the large number of open Docker APIs.

The largest share of the Docker Engines in analyzed ~500 open APIs are: 18.06.1-ce.

Docker

Even if where SSL/TLS is enabled, a small portion of Docker APIs were supporting vulnerable and outdated

protocols like SSLv2, SSLv3

Are they already compromised?

Out of ~500 samples analyzed, 130+ are already compromised with the cryptominer. It has been observed that 130+ hosts are compromised and running with cryptominer containers at the time of this research.  A few of the hosts are running with multiple mining containers; moreover, the containers are dynamic in nature hence the data varies a bit everytime we scan the open APIs. However, it is consistently giving 140+ miner containers running during the scan of these ~500 vulnerable hosts.

Most of these hosts are compromised with popular monero cpu cryptominer. These rogue containers will eat up CPU cycles on the hosts where it is installed. Docker has made it too easy to start mining with the help of miner images uploaded on the Docker Image Repository – Hub.

Just need to pull down one of those images and run/start the container on the remote hosts.

Out of ~140 observed compromised hosts, ~110+ are running with the “kannix/monero-miner” image.

Docker

If you look at the image statistics on Docker image repository, this image is pulled over 10M times. This shows the popularity of this miner image.

There are other cryptominer images also used but in very small portion.

arayan/monero-miner

Docker

timonmat/xmr-stak-cpu

Docker

strm/xmrig

Docker

bitnn/alpine-xmrig

Docker

Kannix/monero-miner run with following arguments for all analyzed samples –

  • Algorithm – cryptonight-lite
  • Pool Used – pool.aeon.hashvault.pro:3333
  • User (wallet account) –WmthxKa4FVvSDA8fjyXiZJB3WWWFxumQJAZfRGmrMCaMCooq52sipimAYJM2NYNy34bJUX566wEBmEC2QmdmnVLh2GzgRy4F6
  • Password – phantompain
  • Donate-level – 1
  • Max-cpu-usage – 100

How to prevent such attacks?

To prevent such attacks, we need to secure DockerAPI, TLS needs to be enabled by specifying tlsverify flag and pointing dokcer’s tlscacert to a trusted CA certificate.

There is step-by-step process explained how to secure API is described in Security documentation. Please refer Protect the Docker daemon socket.

About the author: Kirtar Oza CISSP,CISA, MS

[adrotate banner=”9″] [adrotate banner=”12″]

Edited by Pierluigi Paganini

(Security Affairs – cybersecurity, Hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment