As you know,
docking services are booming, docking container attacks are also on the
rise.But this post will illustrate how the intruder is trying to compromise the
docker API due to a weak setup.
Table
of content
·
Docker architecture
·
Enable
Docker API for Remote connection
·
Abusing
Docker API
Docker Architecture
Docker uses a
client-server architecture, the main components of the docker are:
docker-daemon, docker-CLI and API.
Docker
Daemon: Use manage docker object such as network,
volume, docker image & container.
Docker CLI: A command line interface used to execute the command to pull, run
and build the docker image.
Docker
API: It is a kind of interface used between Daemon
and CLI to communicate with each other through unix or tcp socket.
As we know
the usage of docker service in any organisation at their boom because it has reduced
efforts of developer in host in the application within their infrastructure. When
you install docker on a host machine, the daemon and CLI communicate with each
other through Unix Socket that represent a loopback address. If you want to
access the docker application externally, then bind the API over a TCP port.
The time you
allow the docker API to be accessed over TCP connection through ports such as
2375, 2376, 2377 that means a docker CLI which is running outside the host
machine will be able to access the docker daemon remotely.
The attacker always checks for such type of port using
Shodan, they try to connect with docker remotely in order to exploit the docker
daemon. Their several dockers application listening over port 2375 for remote
connection.
Enable Docker API for Remote connection
Initially you
can observe that the target host does not have any port open for docker service,
when we used nmap port scan for 192.168.0.156 which is the IP of the host
machine where docker application is running.
At host machine we try to identify a
process for docker, as we have mentioned above by default it runs over Unix
sockets.
ps -ef |grep docker
Now modify the configuration for REST
API in order to access the docker daemon externally.
Make the changes as highlight in the
image with the help of following commands.
nano /lib/systemd/system/docker.service
Modify as: -H=tcp://0.0.0.0:2375
systemctl daemon-reload
service docker restart
Now, if you will explore the docker
process, you will notice the change.
Abusing Docker API
Now attacker always looks for such network
IP where docker is accessible through API over 2375/tcp port in order to establish
a remote connection with the docker application. As you can see, we try to scan
host machine to identify open port for docker API using nmap port scan.
nmap -p- 192.168.0.156
Once the port is open and accessible, you
can try to connect with docker daemon on the target machine. But for this you
need to install a docker on your local machine too. So, we have installed docker on Kali Linux as
well as we docker running on our target machine too. Now to ensure that we can access docker daemon
remotely, we execute following command to identify the installed docker
version.
Syntax: docker -H :
docker -H 192.168.0.156:2375 version
Further we try to enumerate the docker
images running on the remote machine
docker -H 192.168.0.156:2375 images
Similarly, we try to identify the process
for running container with the help of the following command, so that we can
try to access the container remotely.
docker -H 192.168.0.156:2375 ps -a
docker -H 192.168.0.156:2375 exec -it
/bin/bash
Thus, in this way the weak configured API
which is exposed for external connection can be abused an attack. This could
result in container hijacking or an attacker can hide the persistence threat
for reverse connection. Also, if the installed version of docker is exploitable
against container escape attack, then, the attack can easily compromise whole
host machine and try to obtain the root access of main machine (host).
0 comments:
Post a Comment