From 4a70bb80ca6b2a95c9c1c2286f774a7cf7a64227 Mon Sep 17 00:00:00 2001 From: Arm!tage Date: Mon, 25 Dec 2023 11:08:11 +0800 Subject: [PATCH 1/9] add docker daemon exposed via http --- http/exposures/docker-daemon-exposed.yaml | 51 +++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 http/exposures/docker-daemon-exposed.yaml diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml new file mode 100644 index 0000000000..e9601013b9 --- /dev/null +++ b/http/exposures/docker-daemon-exposed.yaml @@ -0,0 +1,51 @@ +id: docker-daemon-exposed + +info: + name: Docker Daemon Exposed + author: Arm!tage + severity: critical + description: | + Docker Daemon exposed on the network map can help remote attacker to gain access to the Docker containers and potentially the host system. + metadata: + max-request: 1 + shodan-query: port:2375 product:"docker" + fofa-query: app="docker-Daemon" && port="2375" + verified: true + tags: docker,exposure + +http: + - raw: + - | + GET /version HTTP/1.1 + Host: {{Hostname}} + + - | + GET /v{{version}}/containers/json HTTP/1.1 + Host: {{Hostname}} + + matchers-condition: or + matchers: + - type: word + part: body + words: + - "Id" + - "Names" + - "Image" + - "Command" + - "PrivatePort" + - "PublicPort" + condition: and + - type: word + part: body + words: + - '[]' + + + extractors: + - type: regex + name: version + group: 1 + regex: + - '"ApiVersion":"(.*?)"' + internal: true + From 652b67b88a8f074b6f98c29b3dd148c8aeb1a300 Mon Sep 17 00:00:00 2001 From: Arm!tage Date: Mon, 25 Dec 2023 11:31:03 +0800 Subject: [PATCH 2/9] fix syntax --- http/exposures/docker-daemon-exposed.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index e9601013b9..b313542011 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -15,13 +15,13 @@ info: http: - raw: - - | - GET /version HTTP/1.1 - Host: {{Hostname}} + - | + GET /version HTTP/1.1 + Host: {{Hostname}} - - | - GET /v{{version}}/containers/json HTTP/1.1 - Host: {{Hostname}} + - | + GET /v{{version}}/containers/json HTTP/1.1 + Host: {{Hostname}} matchers-condition: or matchers: From 051c0f22b3a71c5b6832fef166e12f553186319c Mon Sep 17 00:00:00 2001 From: Arm!tage Date: Mon, 25 Dec 2023 11:35:22 +0800 Subject: [PATCH 3/9] remove blank --- http/exposures/docker-daemon-exposed.yaml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index b313542011..ea9cfd6c0e 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -18,7 +18,7 @@ http: - | GET /version HTTP/1.1 Host: {{Hostname}} - + - | GET /v{{version}}/containers/json HTTP/1.1 Host: {{Hostname}} @@ -40,7 +40,6 @@ http: words: - '[]' - extractors: - type: regex name: version @@ -48,4 +47,3 @@ http: regex: - '"ApiVersion":"(.*?)"' internal: true - From 9ecd7d5a4725f1174937173b492c205b850b45c4 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Mon, 25 Dec 2023 23:03:42 +0530 Subject: [PATCH 4/9] minor update --- http/exposures/docker-daemon-exposed.yaml | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index ea9cfd6c0e..d8be8351a2 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -11,7 +11,7 @@ info: shodan-query: port:2375 product:"docker" fofa-query: app="docker-Daemon" && port="2375" verified: true - tags: docker,exposure + tags: docker,exposure,misconfig http: - raw: @@ -23,10 +23,10 @@ http: GET /v{{version}}/containers/json HTTP/1.1 Host: {{Hostname}} - matchers-condition: or + matchers-condition: and matchers: - type: word - part: body + part: body_2 words: - "Id" - "Names" @@ -35,10 +35,6 @@ http: - "PrivatePort" - "PublicPort" condition: and - - type: word - part: body - words: - - '[]' extractors: - type: regex From 3115271e9fbfeac3c952010515ed0f69e75b8535 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 26 Dec 2023 07:58:10 +0530 Subject: [PATCH 5/9] additional matcher with or condition --- http/exposures/docker-daemon-exposed.yaml | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index d8be8351a2..bd264d57f2 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -23,7 +23,7 @@ http: GET /v{{version}}/containers/json HTTP/1.1 Host: {{Hostname}} - matchers-condition: and + matchers-condition: or matchers: - type: word part: body_2 @@ -36,6 +36,14 @@ http: - "PublicPort" condition: and + - type: word + part: body_2 + words: + - '[]' + - '"ImageID": + - '"HostConfig":' + condition: and + extractors: - type: regex name: version From def6cc9a4a29684d6717421b5388607099eaf966 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 26 Dec 2023 07:59:22 +0530 Subject: [PATCH 6/9] Update docker-daemon-exposed.yaml --- http/exposures/docker-daemon-exposed.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index bd264d57f2..1442d6c668 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -40,7 +40,7 @@ http: part: body_2 words: - '[]' - - '"ImageID": + - '"ImageID":' - '"HostConfig":' condition: and From 71410961884a22bc5dd81b89608a7b96083e3952 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Tue, 26 Dec 2023 08:01:41 +0530 Subject: [PATCH 7/9] lint fix --- http/exposures/docker-daemon-exposed.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index 1442d6c668..b0f94be1b1 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -43,7 +43,7 @@ http: - '"ImageID":' - '"HostConfig":' condition: and - + extractors: - type: regex name: version From 346a5b3546b0decc0988c37fe5f5867ececcefcf Mon Sep 17 00:00:00 2001 From: Arm!tage <48816467+Arrnitage@users.noreply.github.com> Date: Wed, 27 Dec 2023 10:20:29 +0800 Subject: [PATCH 8/9] Update docker-daemon-exposed.yaml --- http/exposures/docker-daemon-exposed.yaml | 2 -- 1 file changed, 2 deletions(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index b0f94be1b1..152f9daaf0 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -40,8 +40,6 @@ http: part: body_2 words: - '[]' - - '"ImageID":' - - '"HostConfig":' condition: and extractors: From 3373976e28f2efdb4bb0d1083fec0747ee22e977 Mon Sep 17 00:00:00 2001 From: pussycat0x <65701233+pussycat0x@users.noreply.github.com> Date: Wed, 27 Dec 2023 13:15:53 +0530 Subject: [PATCH 9/9] dsl - update --- http/exposures/docker-daemon-exposed.yaml | 23 ++++++----------------- 1 file changed, 6 insertions(+), 17 deletions(-) diff --git a/http/exposures/docker-daemon-exposed.yaml b/http/exposures/docker-daemon-exposed.yaml index 152f9daaf0..e62b53f228 100644 --- a/http/exposures/docker-daemon-exposed.yaml +++ b/http/exposures/docker-daemon-exposed.yaml @@ -23,23 +23,12 @@ http: GET /v{{version}}/containers/json HTTP/1.1 Host: {{Hostname}} - matchers-condition: or matchers: - - type: word - part: body_2 - words: - - "Id" - - "Names" - - "Image" - - "Command" - - "PrivatePort" - - "PublicPort" - condition: and - - - type: word - part: body_2 - words: - - '[]' + - type: dsl + dsl: + - 'status_code_2 == 200' + - 'contains(body_1, "ApiVersion") && contains(body_1, "GitCommit") && contains(body_1, "GoVersion") && contains(body_1, "KernelVersion")' + - 'contains(body_2, "Id") && contains(body_2, "Names") && contains(body_2, "Image") && contains(body_2, "Command") && contains(body_2, "PrivatePort") && contains(body_2, "PublicPort") || contains(body_2, "[]")' condition: and extractors: @@ -48,4 +37,4 @@ http: group: 1 regex: - '"ApiVersion":"(.*?)"' - internal: true + internal: true \ No newline at end of file