Announcement

Collapse
No announcement yet.

Eran Segal - The COW (Container On Windows) Who Escaped the Silo

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Eran Segal - The COW (Container On Windows) Who Escaped the Silo

    Eran Segal - The COW (Container On Windows) Who Escaped the Silo


    Eran Segal, Security research team leader at SafeBreach

    Presentation Title: The COW (Container On Windows) Who Escaped the Silo

    Length of presentation: 45 minutes

    Demo, Tool, Exploit



    Virtualization and containers are the foundations of cloud services. Containers should be isolated from the real host’s settings to ensure the security of the host.




    In this talk we’ll answer these questions: “Are Windows process-isolated containers really isolated?” and “What can an attacker achieve by breaking the isolation?”




    Before we jump into the vulnerabilities, we’ll explain how Windows isolates the container’s processes, filesystem and how the host prevents the container from executing syscalls which can impact the host.

    Specifically, we’ll focus on the isolation implementation of Ntoskrnl using server silos and job objects.




    We’ll compare Windows containers to Linux containers and describe the differences between their security architectural designs.

    We’ll follow the scenario of an attacker-crafted container running with low privileges. We'll show in multiple ways how to gain privilege escalation inside the container to NT/System. After gaining NT/System permissions, we'll talk about how we escaped the isolation of the container and easily achieved a dump of the entire host’s kernel memory from within the container. If the host is configured with a kernel debugger, we can even dump the host’s Admin credentials.




    We’ll finish by demonstrating how an attacker-crafted container with low privileges can read UEFI settings and then set them. Using this technique an attacker can communicate between containers and cause a permanent Denial-of-Service (DoS) to a host with default settings, through the UEFI interface.




    SPEAKER BIO(S)

    Eran Segal is a research team leader, with more than 7 years experience in cyber security research. Over the last three years, he has been researching security projects in SafeBreach Labs, after serving in various security positions in the IDF. He specializes in research on Windows and embedded devices.


    https://www.linkedin.com/in/eran-segal-15b29a180/



    REFERENCES:

    https://qiita.com/kikuchi_kentaro/it...1e18821d402761

    https://wikileaks.org/ciav7p1/cms/page_26968084.html

    https://googleprojectzero.blogspot.c...ontainers.html

    https://unit42.paloaltonetworks.com/...lnerabilities/

    https://unit42.paloaltonetworks.com/...ws-containers/

    https://thomasvanlaere.com/posts/202...ws-containers/

    https://docs.microsoft.com/en-us/vir...perv-container








    []
Working...
X