From huangkangjing@gmail.com Fri May 10 03:13:29 2024
From: Kangjing Huang <huangkangjing@gmail.com>
To: passt-user@passt.top
Subject:
 Guest namespace can access host ports via secondary interface addresses
Date: Thu, 09 May 2024 23:13:09 -0400
Message-ID:
 <CAPbmFQYeiwNw41QwRpHYDfOX_F_=nu9HeYgirN7+CefdQCRYxg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6881958711835341380=="

--===============6881958711835341380==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi there,

I was tweaking around pasta and its usage with podman, and I realized
that from pasta guest namespaces it is possible to access host ports
through the address of secondary interfaces on the host.

Say I have two interfaces on host, with eth0 connecting to a gateway
and eth1 connected to another LAN:

> $ # On host
> $ ifconfig eth0
> eth0: flags=3D4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>        inet 192.168.1.2  netmask 255.255.255.0  broadcast 192.168.1.255
> ...
> $ ifconfig eth1
> eth1: flags=3D4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>        inet 192.168.110.1  netmask 255.255.255.0  broadcast 192.168.110.255
> ...
> $ ip route
> default via 192.168.1.1 dev eth0 proto dhcp src 192.168.1.2 metric 1024
> 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.2 metric 1024
> 192.168.1.1 dev eth0 proto dhcp scope link src 192.168.1.2 metric 1024
> 192.168.110.0/24 dev eth1 proto kernel scope link src 192.168.110.1

If there is some service started on host:

> $ python -m http.server
> Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

>From a pasta namespace, it is impossible to access the host ports by
the address of the main interface:

> $ pasta --config-net
> $ # Now in pasta namespace
> $ curl 192.168.1.2:8000
> curl: (7) Failed to connect to 192.168.1.2 port 8000 after 0 ms: Couldn't c=
onnect to server

However I found that it is possible to do so by the address of the
secondary interface:

> $ # In same pasta environment as above
> $ curl 192.168.110.1:8000
> <!DOCTYPE HTML>
> <html lang=3D"en">
> ...

Is this an expected behavior? I believe this is a security escape in
the container context, since containerized services can gain access to
unintended resources.


Thanks,
Chaser Huang

--
Kangjing "Chaser" Huang

--===============6881958711835341380==--