VMs:
• malicious script in shared folder
• worm propagates in the same/connected networks
• VMs and host machine don’t share kernel: each has its own (VM has to break its own kernel → hypervisor (vmware) → host machine

Containers:
• Containers can share memory
• Users are not namespaced by default: if a user gains access to other containers or host, he will have the same privilege (root in container will be root in host if breaking out)
• All containers and host share the same kernel: if a container causes a kernel panic, it will take down the whole machine
• DoS in containers: containers share kernel resource: if a container can manage to lock a resource, it will starve other containers

A month ago, I found someone’s instance on DigitalOcean with RCE vulnerability. This happens when I was poking around Shodan. I did a quick search for Werkzeug Debugger, then a list of hosts with the debugger running showed up. To anyone not familiar with this, Werkzeug Debugger is an in-browser debugger used by Flask. The debug option allows developer to run command line on localhost:5000 (by default). It is recommended to disable this option in production server, and lock the debugger with a PIN. However, someone just ignores it anyway.

Here are some thing that you can do:

>>> print(os.getuid())>>> os.popen(“cat .bash_history”)>>> os.popen(“cat /etc/passwd”)

By doing so, I was able to identify the owner of the instance. It belongs to a hunting map service.

VMs:
• malicious script in shared folder
• worm propagates in the same/connected networks
• VMs and host machine don’t share kernel: each has its own (VM has to break its own kernel → hypervisor (vmware) → host machine

Containers:
• Containers can share memory
• Users are not namespaced by default: if a user gains access to other containers or host, he will have the same privilege (root in container will be root in host if breaking out)
• All containers and host share the same kernel: if a container causes a kernel panic, it will take down the whole machine
• DoS in containers: containers share kernel resource: if a container can manage to lock a resource, it will starve other containers

Preston T

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store