-
Notifications
You must be signed in to change notification settings - Fork 543
Exploit: docker api pwn
cdxy edited this page Feb 8, 2021
·
1 revision
Docker Remote API(port 2375) has no authorization designed to listen local addresses only, expose this port will cause RCE. In this exploit first we connect Docker API then we send requests to let dockerd
pull image and create a container which has /host
mounted all host filesystems, then you can execute cmd inside the container and write payloads to host filesystem(e.g. /etc/crontab) to escape.
攻击Docker API 2375未授权访问漏洞,控制宿主机的dockerd创建一个新容器,并挂在宿主机根目录/
到容器内部/host
,然后执行用户输入的指令来篡改宿主机的文件,比如可以写/etc/crontab来搞定宿主机。
./cdk run docker-api-pwn <sock_path> <shell_cmd>
./cdk run docker-api-pwn http://127.0.0.1:2375 "touch /host/tmp/docker-api-pwn"