コンテンツにスキップ

Docker Entrypoint Support in Mayhem

Oftentimes, developers will include an entrypoint script within their Docker images that performs a one-time initialization process prior to running the containerized application, such as setting up configuration items based on environment variables.

Note

Docker entrypoint scripts are commonly named docker-entrypoint.sh, but is not required to be named as such (or even be a script at all, it can just be a command). Check out the official Docker documentation for more information on ENTRYPOINT.

For this reason, Mayhem supports running commands specified as the entrypoint of a Docker image, allowing this initialization process to occur prior to fuzzing during a Mayhem run.

Enabling Docker Entrypoint in Mayhem

In order to instruct Mayhem to run an available entrypoint script for a Docker image, you will need to first perform the following:

  1. Confirm that the target Docker image has an entrypoint set with:

    docker image inspect <IMAGE_NAME>

    Which should return similar output to the following:

    ...
"Entrypoint": [
    "docker-entrypoint.sh"
]
...

    Tips

    • Check out the official documentation on the docker image inspect command for more information on inspecting a Docker image's details.
    • Don't have a Docker image set up yet and are currently building one using a Dockerfile? Check out how to set up an ENTRYPOINT and CMD and how these two interact (you must have at least one).

  2. Add MFUZZ_DOCKER_ENTRYPOINT: “1” to the env section of your Mayhemfile for the specified Docker image.

  3. Ensure that your cmd in your Mayhemfile refers to the actual target (ELF binary) you wish to test.

For example, if we were testing the redis Docker image, we would set MFUZZ_DOCKER_ENTRYPOINT: “1” and ensure that the cmd in the Mayhemfile is set to redis. This would ensure that we run the commands inside of the entrypoint script prior to testing the actual redis binary.

Warning

Currently, only uninstrumented targets are supported. If your target disallows running as the root user (as is the case with redis), ensure that uid and gid are properly set inside the Mayhemfile as dropping privileges from the entrypoint script is not currently supported. You can see how this is done in the next example.

Testing redis with Docker Entrypoint Enabled

Redis is an open source in-memory data structure store that can be used as a database, cache, and message broker. In order to begin testing the redis Docker image, run the following:

docker pull redis

Note

This will pull the latest docker image for redis found in the Docker Hub public registry.

Once downloaded, execute the following commands to view the details of the redis docker image:

docker image inspect redis

Locate the Entrypoint configuration and verify that a docker-entrypoint.sh is set for the redis docker image. Your output should look similar to the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
[
    {
        "Id": "sha256:eb0ab2d55fdfc3ba4226348749a2f34af13a280a44c8045aefd9506fe064b297",
        "RepoTags": [
            "redis:latest"
        ],
        "RepoDigests": [
            "redis@sha256:f29bcfb891678a0c6a0fc5da0b32ce1ac685af87c0f3aa9327e562da8d3f3b88"
        ],
        "Parent": "",
        "Comment": "",
        "Created": "2021-02-09T17:03:48.239304262Z",
        "Container": "215801b81e7e9e85da0ef895c44ccb19d9358a81281ab5eb9901734426ddf918",
        "ContainerConfig": {
            "Hostname": "215801b81e7e",
            "Domainname": "",
            "User": "",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "6379/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "GOSU_VERSION=1.12",
                "REDIS_VERSION=6.0.10",
                "REDIS_DOWNLOAD_URL=http://download.redis.io/releases/redis-6.0.10.tar.gz",
                "REDIS_DOWNLOAD_SHA=79bbb894f9dceb33ca699ee3ca4a4e1228be7fb5547aeb2f99d921e86c1285bd"
            ],
            "Cmd": [
                "/bin/sh",
                "-c",
                "#(nop) ",
                "CMD [\"redis-server\"]"
            ],
            "Image": "sha256:4f476f1fb03679874507de714684b729cec4f5084b1d6ea9084ee352a23512cf",
            "Volumes": {
                "/data": {}
            },
            "WorkingDir": "/data",
            "Entrypoint": [
                "docker-entrypoint.sh"
            ],
            ...

Great! Now that you've verified that an entrypoint is set for the redis docker image, create a Mayhemfile and set the following parameters:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
project: redis
target: redis-entrypoint
image: redis
advanced_triage: false
uid: 999
gid: 999
cmds:
  - cmd: redis-server
    env:
      MFUZZ_DOCKER_ENTRYPOINT: "1"
    network:
      url: tcp://localhost:6379
      client: false
      timeout: 5.0

Note

As indicated above, redis requires that we set the uid and gid parameters to preserve root privileges.

Lastly, simply execute the Mayhem run for the redis docker image by running the following command within the same directory as the aforementioned Mayhemfile:

mayhem run .

Important

You will need to perform a mayhem login to validate your credentials with your Mayhem instance prior to executing a Mayhem run.

And that's it! Your Mayhem run for the redis docker image should now be up and running! Nice job!

redis-entrypoint

Summary

By understanding how to enable entrypoint support in Mayhem, you should be able to more effectively fuzz your Docker images and their containerized applications.