Attack Uses Docker Containers To Hide, Persist, Plant Malware

A novel attack vector allows for adversaries to abuse the Docker API to hide malware on targeted systems, and even execute remote code.

The proof of concept attack was developed by researchers at Aqua Security, and the technique was first demonstrated today at Black Hat by Sagie Dulce, senior security researcher, with Aqua Security.

The attack works on any Docker installation which exposes its API through TCP, which has (until recently) been the default for Windows PCs running Docker for Windows, an application used by developers to create and test containerized applications.

“The attack endgame is a persistent remote code execution within the enterprise’s network,” Dulce said. “Persistence on the host computer is practically undetectable by existing security products from the host.”

The attack is multistage. Step one, involves luring the developer running Docker for Windows to an attacker-controlled webpage that hosts a specially crafted JavaScript. Among other things, the JavaScript is able to bypass a browser’s Same Origin Policy security, a data protection feature found on modern browsers.

“Only a limited subset of HTTP methods is allowed across origins, including GET, HEAD and POST,” Dulce said. The researcher not only used an API command that did not violate the SOP protection, but also spawned a Docker container on the host machine that uses a Git repository as Command and Control; as it hosts the malicious attack code.

“This container is kind of limited,” Dulce said. “What you really want is to access the entire Docker API so you can run any container you want such as a privilege container with more access to the host or the underlying virtual machine.”

To make that happen Aqua researchers created a “Host Rebinding Attack” technique that is similar to a “DNS Rebinding Attack.” That’s when an adversary abuses DNS to trick a browser into not-enforcing the Same Origin Policy. Aqua’s Host Rebinding Attack targets Microsoft name resolution protocols to achieve the same end goal, but this time via a virtual interface: so the attack itself cannot be detected over the network.

“Host rebinding rebinds a host IP address over the local network to another IP address. It is similar to DNS rebinding, but instead of spoofing DNS responses, controlling a domain, or otherwise meddling with the DNS service, we spoof responses to broadcasted name resolution protocols such as NetBIOS and LLMNR,” the researcher wrote.

The result is a (build) container running within the victim’s Hyper-V VM, sharing the host’s network and executing attacker-controlled arbitrary code, he explained.

Read more…

Source: ThreatPost