For this week's TTP Tuesday, we're providing a Docker privilege escalation. These TTPs demonstrate how to elevate privilege within a container by abusing the Docker daemon if it is mounted on a TCP port. If a container is vulnerable, an attacker may be able to spawn a root shell on the host system.
The Docker daemon ( dockerd ) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.
Docker Engine API queries may be received by the Docker daemon over three distinct types of Socket
fd. The default configuration allows for unencrypted and unauthenticated direct connection to the Docker daemon. It is customary to utilize port 2375 for unencrypted contact with the daemon and port 2376 for encrypted communication.
To exploit this misconfiguration, an attacker can create a docker container with the
/ path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail using Docker via an unprotected tcp socket (2375/tcp, possibly 2376/tcp with tls but without tls-auth).
Note that this is not a vulnerability in Docker code, but rather a common security misconfiguration of Docker containers.
Is my Docker daemon vulnerable to privilege escalation? chain on each Docker container in your environment to test if you are vulnerable.
The chain tests if your Docker daemon is bound on TCP and then attempts to exploit it to gain root privileges on the host.
The recommended remediation is to not bind the Docker daemon over TCP.
Check out the TTP Is my Docker daemon vulnerable to privilege escalation? on the Prelude chains website.
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg