Dont Have a COW: Containers on Windows and Other Container-Escape Research

  /     /     /  
Publicated : 23/11/2024   Category : security


Dont Have a COW: Containers on Windows and Other Container-Escape Research


Several pieces of Black Hat USA research will explore container design weaknesses and escalation of privilege attacks that can lead to container escapes.



In whats shaping up to be a summer of container escapes, a pair of talks slated for Black Hat USA next month will explore the kinds of architectural weaknesses in operating systems and in container platforms that can make it easy for attackers break down the barriers of container isolation and run roughshod over cloud infrastructure.
In one talk,
The COW (Container on Windows) Who Escaped the Silo
, the research will explore the inherent security architectural design problems in the way that Windows containers are isolated from the real host settings. Eran Segal, research team leader of SafeBreach, says he will delve into the technical details that show how Windows kernel architecture isnt built to handle containers with the same kind of native security capabilities as Linux kernel architecture. Some of the workarounds Windows has built in response to implement containers leaves Windows containers open to attack.
Windows containers isolated as process isolation are not isolated well and it is possible to impact the host from inside, Segal explains.
Hes saving the technical details for his Black Hat presentation, but offers a tease that his demonstration will show how an attacker can create a malicious container with low privileges that can communicate with other containers and start wreaking havoc on the host.
I cant share it before the talk, but I can say that Ill gain a permissions system inside the container, cause a DoS to the host, and manage to access the entire kernel memory, and it is highly possible that the kernel memory contains passwords, Segal says.
He hopes that the discussion will offer security practitioners and fellow researchers a glimpse into the mechanics behind how Windows containers are built, the vulnerabilities he found with them, and how to start rooting out flaws similar to the ones hell recap.
They will learn about the internals of process isolated Windows containers, the internals of the vulnerabilities I found, and a recipe for finding additional vulnerabilities such as the ones I found, he says.
The exploration of container escapes like the one Segal will demonstrate is not a new field of security research, but it is one that has been heating up considerably of late. Just last month at RSA Conference, executives with CrowdStrike detailed attack techniques that could take advantage of a bug they discovered in March in the CRI-O container engine that underpins Kubernetes. That demonstration showed how this
cr8escape
bug could be used by attackers to escape containers and gain root access on the host.
And last week,
news broke
of a flaw dubbed FabricScape that posed serious container escape risk from Linux containers within Microsofts Azure Service Fabric technology. Discovered by security researchers from Palo Alto Networks, details of the flaw were released last week as a follow-on to Microsofts patch that fixed the issue on June 14. The vulnerability was in a logging function with high privileges in Service Fabrics Data Collection Agent (DCA).
The vulnerability could allow malicious actors to take over Linux hosting environments. It allows a compromised container to escape and take over the cluster running it, wrote
Aviv Sasson and Ariel Zelivanski
of Palo Altos Unit 42 research team. “Containers could become malicious if they are broken into through either a known vulnerability or zero-day vulnerability, or through a supply-chain attack such as typosquatting or a malicious package.
Unit 42 researchers have been on a tear with container escape research this summer. A pair of researchers from the team, Yuval Avrahami and Shaul Ben Hai, will present the other big container escape talk at Black Hat next month.
Kubernetes Privilege Escalation: Container Escape == Cluster Admin?
 will take a deep dive look into how attackers can abuse service account tokens in system pods to turn a single container escape into an attack that can take over an entire Kubernetes cluster. The researchers also will also present tools to help discover these pods within infrastructure and identify privilege escalation paths in a cluster. That will help security defenders better harden their container infrastructure from escapes and broader escalation of privileges on the host.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dont Have a COW: Containers on Windows and Other Container-Escape Research