8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
74.4%
A container image that extracts the underlying container runtime and sends it to a remote server. Poke at the underlying container runtime of your favorite CSP container platform!
How does it work?
As shown by runc CVE-2019-5736, traditional Linux container runtimes expose themselves to the containers they’re running through /proc/self/exe
. whoc
uses this link to read the container runtime executing it.
Dynamic Mode
This is whoc
default mode that works against dynamically linked container runtimes.
whoc
image entrypoint is set to /proc/self/exe
, and the image’s dynamic linker (ld.so
) is replaced with fake_ld
.fake_ld
obtains a file descriptor for the runtime binary by opening /proc/self/exe
, and executes upload_runtime
.upload_runtime
reads the runtime binary from /proc/self/fd/<runtime-fd>
and sends it to the configured remote server.Wait-For-Exec Mode
For statically linked container runtimes, whoc
comes in another flavor: whoc:waitforexec
.
upload_runtime
is the image entrypoint, and runs as the whoc
container PID 1.whoc
container and invoke a file pointing to /proc/self/exe
(e.g. docker exec whoc-ctr /proc/self/exe
)upload_runtime
reads the runtime binary through /proc/<runtime-pid>/exe
and sends it to the configured remote serverTry Locally
You’ll need docker
and python3
installed. Clone the repository:
$ git clone [email protected]:twistlock/whoc.git
Set up a file server to receive the extracted container runtime:
$ cd whoc
$ mkdir -p stash && cd stash
$ ln -s ../util/fileserver.py fileserver
$ ./fileserver
From another shell, run the whoc
image in your container environment of choice, for example Docker:
$ cd whoc
$ docker build -f Dockerfile_dynamic -t whoc:latest src # or ./util/build.sh
$ docker run --rm -it --net=host whoc:latest 127.0.0.1 # or ./util/run_local.sh
See that the file server received the container runtime. Since we run whoc
under vanilla Docker, the received container runtime should be runc.
--net=host
is only used in local tests so that the whoc
container could easily reach the fileserver on the host via 127.0.0.1
.
Help
Help for whoc
’s main binary, upload_runtime
:
Usage: upload_runtime [options] <server_ip>
Options:
-p, --port Port of remote server, defaults to 8080
-e, --exec Wait-for-exec mode for static container runtimes, waits until an exec to the container occurred
-b, --exec-bin In exec mode, overrides the default binary created for the exec, default is /bin/enter
-a, --exec-extra-argument In exec mode, pass an additional argument to the runtime so it won't exit quickly
-r, --exec-readdir-proc In exec mode, instead of guessing the runtime pid (which gives whoc one shot of catching the runtime),
find the runtime by searching for new processes under '/proc'
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
74.4%