Kali Linux

Whoc : A Container Image That Extracts The Underlying Container Runtime

Whoc is a container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!

  • WhoC at Defcon 29 Cloud Village
  • Azurescape – whoc-powered research, the first cross-account container takeover in the public cloud (70,000$ bounty)

How does it work?

As shown by runc CVE-2019-5736, traditional Linux container runtimes expose themselves to the containers they’re running through /proc/self/exewhoc uses this link to read the container runtime executing it.

Dynamic Mode

This is whoc default mode that works against dynamically linked container runtimes.

  • The whoc image entrypoint is set to /proc/self/exe, and the image’s dynamic linker (ld.so) is replaced with upload_runtime.
  • Once the image is run, the container runtime re-executes itself inside the container.
  • Given the runtime is dynamically linked, the kernel loads our fake dynamic linker (upload_runtime) to the runtime process and passes execution to it.
  • upload_runtime reads the runtime binary through /proc/self/exe and sends it to the configured remote server.

Wait-For-Exec Mode

For statically linked container runtimes, whoc comes in another flavor: whoc:waitforexec.

  • upload_runtime is the image entrypoint, and runs as the whoc container PID 1.
  • The user is expected to exec into the whoc container and invoke a file pointing to /proc/self/exe (e.g. docker exec whoc_ctr /proc/self/exe).
  • Once the exec occurs, the container runtime re-executes itself inside the container.
  • upload_runtime reads the runtime binary through /proc/$runtime-pid/exe and sends it to the configured remote server.

Try Locally

You’ll need docker and python3 installed. Clone the repository:

$ git clone git@github.com:twistlock/whoc.git

Set up a file server to receive the extracted container runtime:

$ cd whoc
$ mkdir -p stash && cd stash
$ ln -s ../util/fileserver.py fileserver
$ ./fileserver

From another shell, run the whoc image in your container environment of choice, for example Docker:

$ cd whoc
$ docker build -f Dockerfile_dynamic -t whoc:latest src # or ./util/build.sh
$ docker run –rm -it –net=host whoc:latest 127.0.0.1 # or ./util/run_local.sh

See that the file server received the container runtime. If you run whoc under vanilla Docker, the received container runtime should be runc.

--net=host is only used in local tests so that the whoc container could easily reach the fileserver on the host via 127.0.0.1.

Other Platforms

By default whoc is built for linux/amd64, but it also supports other CPU architectures. Wait-for-exec mode can be built as usual. To build whoc in dynamic mode for other CPU architectures, you must populate the PLATFORM_LD_PATH_ARG build argument with the path of the dynamic linker on the target architecture.

An example build script for arm64 is available at util/build_arm64.sh.

Help

Help for whoc‘s main binary, upload_runtime:

Usage: upload_runtime [options]

Options:
-p, –port Port of remote server, defaults to 8080
-e, –exec Wait-for-exec mode for static container runtimes, waits until an exec to the container occurred
-b, –exec-bin In exec mode, overrides the default binary created for the exec, default is /bin/enter
-a, –exec-extra-argument In exec mode, pass an additional argument to the runtime so it won’t exit quickly
-r, –exec-readdir-proc In exec mode, instead of guessing the runtime pid (which gives whoc one shot of catching the runtime),
find the runtime by searching for new processes under ‘/proc’

R K

Recent Posts

Configure a Static IP Address on Ubuntu 18.04: Netplan Guide

Setting a static IP address on your server is a smart move. It ensures your…

3 hours ago

Install Xrdp on Ubuntu 18.04: Remote Desktop Setup Guide

Xrdp is an open-source implementation of the Microsoft Remote Desktop Protocol (RDP). It lets you access…

4 hours ago

Add and Delete Users on Ubuntu 18.04: A Practical Guide

Managing user accounts is one of the most basic system administration tasks on any Linux…

4 hours ago

Install Wine on Ubuntu 18.04: Run Windows Apps on Linux

Wine (short for "Wine Is Not an Emulator") is a compatibility layer that lets you run…

4 hours ago

Install KVM on Ubuntu 18.04: Setup, Network, and Create VMs

KVM (Kernel-based Virtual Machine) is an open-source virtualization technology built into the Linux kernel. It lets…

4 hours ago

Upgrade to Ubuntu 20.04 LTS: Prepare, Update, and Confirm

Ubuntu 20.04 LTS (code name Focal Fossa) was released on April 23, 2020. It is a…

1 day ago