Are your Docker images vulnerable to malicious hackers that can steal your source code directly from the images themselves?

At the most recent Cloud War Games Live Event I stepped aside and participated as a contestant for a change.

This means I was trying to solve the challenges just like any of the other participants. Luckily I was able to pin point the error in CloudWatch Metrics pretty quickly. The metrics pointed at an issue in code deployed inside of a running Docker image. This means I needed to get the source code and quick. The Infra Master had locked down the code in Github so how could I get it?

Play Along:

Let me know in the comments how you would have done it. Go ahead. I am curious what your solution would have been.

My Solution:

Knowing AWS CodePipeline in detail I knew I could grab a zipped copy of exactly what gets fed into CodeBuild in the form of a CodePipeline Artifact stored in S3. I changed the extension, unzipped it and sure enough the offending code stood out like a sore thumb.

Tim’s Solution:

Another participant, Tim, who was currently driving the hot seat suggested we could grab the source code from the Docker image. I laughed and told him “I would love to see how to do that” completely forgetting that I spent a good chunk of last week in an Interactive Terminal with bash access to various running Docker containers.

I was running cat and tail on files inside of docker all day chasing down various issues. In hind sight I am kicking myself for not thinking of that. But that is not what Tim did.

After thinking a bit more I could have mounted a host volume and ran a cp to send the source code out to the host for me to exploit. But that also is not what Tim did.

Tim introduced me and the other participants to docker cp. You can use this simple command to copy files from the Docker Container to the host system and vice versa. It was simple, elegant and brilliant. I’m not sure how I had never heard of this before.

Either way an amazing bit of hackery.

Security Concerns:

When you build your docker container do you store sensitive information in the ECR Image at rest? Perhaps copying in a key during the build to limit calls to AWS Secret Manager? Perhaps hard coding a .env file during the build process?

Well keep in mind if some malicious party gets access to that image or even just gets access to one of your team’s AWS creds with pull access to that ECR image then they can extract that data and use it to wreak havoc on your infrastructure.

Don’t save keys or secrets in ECS images at rest.

Question For You: How would you have extracted the source code?