Abusing exposed Docker socket

Tags

K8s

ATT&CK Tactic

Initial Access (TA0001)

Incidents

Kiss-A-Dog campaign OracleIV campaign

Tech

Docker

References

https://www.crowdstrike.com/blog/new-kiss-a-dog-cryptojacking-campaign-targets-docker-and-kubernetes/https://0xn3va.gitbook.io/cheat-sheets/container/escaping/exposed-docker-socket

Last edited

May 19, 2024 9:41 AM

Status

Stub

Defenses

Host Configuration Scanning

In the case of the Kiss-a-Dog campaign, this was the initial access vector. The gap between the exposed socket and the initial payload download is not described, but my guess it is the deployment of malicious container that runs the script upon start.

Exposed docker socket is an extremely bad practice because of the lack of authentication on the socket. As such, any bad actor can accessing the socket can perform the following actions:

List running containers
Create a container
Execute code within the created container
Escape to the host from the created container

As such, exposed Docker socket is one trivial hop away from host RCE.