Is my Docker daemon vulnerable to privilege escalation?

An unprivileged attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail using Docker via an unprotected tcp socket (2375/tcp, possibly 2376/tcp with tls but without tls-auth) and use chroot to escape the container-jail.
This week, we are releasing a Docker container escape TTP:
  • Is my Docker daemon vulnerable to privilege escalation?

Is my Docker daemon vulnerable to privilege escalation?

For this week's TTP Tuesday, we're providing a Docker privilege escalation. These TTPs demonstrate how to elevate privilege within a container by abusing the Docker daemon if it is mounted on a TCP port. If a container is vulnerable, an attacker may be able to spawn a root shell on the host system.

The Docker daemon ( dockerd ) listens for Docker API requests and manages Docker objects such as images, containers, networks, and volumes. A daemon can also communicate with other daemons to manage Docker services.

Docker Engine API queries may be received by the Docker daemon over three distinct types of Socket unix, tcp, and fd. The default configuration allows for unencrypted and unauthenticated direct connection to the Docker daemon. It is customary to utilize port 2375 for unencrypted contact with the daemon and port 2376 for encrypted communication.

To exploit this misconfiguration, an attacker can create a docker container with the / path mounted with read/write permissions on the host server that is running the docker container and use chroot to escape the container-jail using Docker via an unprotected tcp socket (2375/tcp, possibly 2376/tcp with tls but without tls-auth).

Note that this is not a vulnerability in Docker code, but rather a common security misconfiguration of Docker containers.

Testing

Execute Operator's Is my Docker daemon vulnerable to privilege escalation? chain on each Docker container in your environment to test if you are vulnerable.

The chain tests if your Docker daemon is bound on TCP and then attempts to exploit it to gain root privileges on the host.

Remediation

The recommended remediation is to not bind the Docker daemon over TCP.

Check out the TTP Is my Docker daemon vulnerable to privilege escalation? on the Prelude chains website.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Octavia: https://twitter.com/VVX7
Waseem: https://twitter.com/gerbsec

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Is the Docker daemon bound to an unprotected TCP port?
Is this host vulnerable to privilege escalation through an unprotected Docker daemon?