Abusing a Distroless Container

Shell commands on shell-less containers

Intent

The intent of this write-up is to challenge the myth surrounding distroless containers and their perceived security. While distroless containers are often praised for their minimalistic design, devoid of conventional operating system tools and shells, the article aims to shed light on the fact that their security is not guaranteed just by excluding shell programs like bash/sh.

I’ll try to emphasize that dropping shell programs from containers does not make them immune to unconventional hacking methods and security vulnerabilities may still exist, even in a distroless environment with a slim attack surface.

The Myth: Unraveling the “Without a Distro” Illusion

Distroless containers are often celebrated for their promise of being “without a distro,” suggesting a completely minimalistic and stripped-down environment, they might lack regular and famous OS tools and shells, does not necessarily mean they are without an OS, they just have minimalistic OS runtime components.

Photo by Ian Taylor on Unsplash

Exploiting the Lean environment

Even though Distroless containers are simpler and don’t have all the usual stuff, they can still be vulnerable. We’ll look at how to work with them practically, dealing with possible issues and finding chances to exploit.

For this exploit let us use a distroless image from the official github repo — https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md

Pull this image

docker pull gcr.io/distroless/base-debian11

We won’t be able to run it with SH or BASH since it has no shell in it. If we try we get an error:

Unable to run sh or bash while running the container

Of course we can have some entry point running a simple program in loop.

The binary we would abuse to exploit this container is OpenSSL. So let us just start this container with the same binary instead of some random program.

docker run -itd c3471e04a10b /usr/bin/openssl

Verify the container is running

The exploit —

This abuse leverages the functionality of the enc option, which is commonly used for encryption tasks but, when in the wrong hands, can become a powerful tool for unauthorized access and manipulation of files within the container.

Now let us try abusing this functionality by reading some from some files:

After we open a OpenSSL prompt we can run enc with in option to read a file, let us try printing hostname of this container.

enc -in /etc/hostname

Printing Host name of this container

Let us try accessing more files and play around

enc -in /etc/passwd

enc -in /etc/hosts

enc -in /etc/resolv.conf

Accessing more files

enc -out can be used to write out into files as well. Apart from enc, there is a module called engine in OpenSSL, which can be used to load our own code and eventually run it, we can explore that in some other blog.

Exploiting in kubernetes:

Containers run in any of the container orchestration tools like K8s, docker swarm etc, let us look at exploiting the same container in a K8s environment and try stealing the service token from the Pod:

Running the same container in a deployment — 2 pods —

As expected, we will not be able to get bash or sh, as there is no shell in the container —

Let’s abuse OpenSSL now to try and get service account token from the Pod accessing this location — /var/run/secrets/kubernetes.io/serviceaccount/token

There we go, we tried reading the token file from the pod and were successful.

Closing thoughts

In conclusion, developers should be mindful of the libraries and packages they include in their containers, moving beyond the motive of minimal size and random image pulls from container registries. While distroless containers promise a lightweight and stripped-down environment, the emphasis should be on understanding the composition of these containers rather than solely focusing on their size.

Security is not solely determined by the absence of conventional shells or the reduction of image size. It’s crucial for developers to have a clear understanding of the runtime components, libraries, and dependencies within their containers. Blindly trusting in the minimalistic nature of distroless containers might lead to unforeseen security vulnerabilities.

Refs: https://github.com/GoogleContainerTools/distroless/blob/main/base/README.md/https://www.form3.tech/blog/engineering/exploiting-distroless-images

Please feel free to point out mistakes if there are any. Thank you for reading. You can connect with me on Linkedin / Twitter. Happy to answer your queries.