zlacker

[parent] [thread] 6 comments
1. globul+(OP)[view] [source] 2025-01-05 13:57:10
> Seems like they opened up a postgres container to the Internet

Yes, but so what? Getting access to a postgres instance shouldn't allow arbitrary execution on the host.

> IIRC docker does this whether you want to or not, it punches holes in iptables without asking you

Which is only relevant if you run your computer directly connected to the internet. That's a dumb thing to do regardless. The author probably also opened their firewall or forwarded a port to the host, which Docker cannot do.

replies(3): >>echelo+w1 >>phoron+i6 >>63stac+vV
2. echelo+w1[view] [source] 2025-01-05 14:16:36
>>globul+(OP)
Also from TFA:

> it was exposed to the internet, with open ports in the router firewall

Upvoted because you're right that the comments in this thread have nothing to do with what happened here.

The story would have been no different if OP had created an Alpine Linux container and exposed SSH to the internet with SSH password authentication enabled and a weak password.

It's nothing to do with Docker's firewalling.

replies(1): >>63stac+BV
3. phoron+i6[view] [source] 2025-01-05 14:58:04
>>globul+(OP)
Are you sure about that? Last I checked pg admins had command execution on the DB host, as well as FS r/w and traversal.

See https://www.postgresql.org/docs/current/sql-copy.html#id-1.9...

Specifically the `filename` and `PROGRAM` parameters.

And that is documented expected out of the box behaviour without even looking for an exploit...

replies(1): >>63stac+UV
4. 63stac+vV[view] [source] 2025-01-05 21:46:24
>>globul+(OP)
I feel like you and grandparent are the only people who read the article, because I'm wondering the same thing.

The article never properly explains how the attack happened. Having a port exposed to the internet on any container is a remote execution vulnerability? What? How? Nobody would be using docker in that case.

The article links to a blog post as a source on the vulnerability, but the article is a general "how to secure" article, there is nothing about remote code execution.

◧◩
5. 63stac+BV[view] [source] [discussion] 2025-01-05 21:47:49
>>echelo+w1
>The story would have been no different if OP had created an Alpine Linux container and exposed SSH to the internet with SSH password authentication enabled and a weak password.

What? The story would have been VERY different, obviously that's asking for trouble. Opening a port to your database running in a docker container is not a remote execution vulnerability, or if it is, the article is failing to explain how.

◧◩
6. 63stac+UV[view] [source] [discussion] 2025-01-05 21:50:55
>>phoron+i6
It's funny that you said TFA a few comments earlier, because you seem to have not read the article either, or are making some great leaps here.

If the break in happened as you would explain the article would also mention that:

* the attacker gained access to the postgres user or equally privileged user

* they used specific SQL commands to execute code

* would have not claimed the vulnerability was about docker containers and exposed ports

And the take away would not be "be careful with exposing your home server to the internet", but would be "anyone with admin privileges to postgres is able to execute arbitrary code".

replies(1): >>phoron+RP1
◧◩◪
7. phoron+RP1[view] [source] [discussion] 2025-01-06 08:34:13
>>63stac+UV
The article would only say that if OP was competent enough to determine exactly what went wrong. I did read the article however I do not agree with the conclusions in it as simply opening a postgres port to the Internet while having set up authentication correctly, is not fatal (though admittedly inadvisable).
[go to top]