-
Notifications
You must be signed in to change notification settings - Fork 3
/
http-docker-rapi.nse
executable file
·96 lines (76 loc) · 2.87 KB
/
http-docker-rapi.nse
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
local http = require "http"
local shortport = require "shortport"
local stdnse = require "stdnse"
description = [[
An attacker can start containers with malicious images, allowing
the execution of commands with root permissions.
"The Engine API is an HTTP API served by Docker Engine. It is the
API the Docker client uses to communicate with the Engine, so
everything the Docker client can do can be done with the API."
There is no default port for this service
https://pyperanger.github.io/2018/01/18/docker-api/
https://docs.docker.com/engine/api/v1.24/
]]
--@usage
-- nmap --script http-docker-rapi -sV <target>
--@output
--PORT STATE SERVICE REASON VERSION
--4243/tcp open http syn-ack ttl 64 Golang net/http server
--| docker:
--| references:
--| https://pyperanger.github.io/2018/01/18/docker-api/
--| https://docs.docker.com/engine/api/v1.24/
--| description: An attacker can start containers with malicious images, allowing
--| the execution of commands with root permissions.
--| "The Engine API is an HTTP API served by Docker Engine. It is the
--| API the Docker client uses to communicate with the Engine, so
--| everything the Docker client can do can be done with the API."
--|
--| Server /version: {"Version":"1.12.6"
--| "ApiVersion":"1.24"
--| "GitCommit":"ae7d637/1.12.6"
--| "GoVersion":"go1.7.6"
--| "Os":"linux"
--| "Arch":"amd64"
--| "KernelVersion":"4.4"
--| "BuildTime":"2017-07-18T16:18:12.179285019+00:00"
--| "PkgVersion":"docker-common-1.12.6-7.gitae7d637.fc25.x86_64"}
--|
--| risk_factor: High
--|_ title: Docker API Remote Privilege Escalation
author = "pype"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = { "vuln", "safe" }
portrule = shortport.http
action = function(host, port)
local response = http.generic_request(host, port,"OPTIONS", "/")
version = {}
local vuln = {
title = "Docker API Remote Privilege Escalation",
risk_factor = "High",
description = [[
An attacker can start containers with malicious images, allowing
the execution of commands with root permissions.
"The Engine API is an HTTP API served by Docker Engine. It is the
API the Docker client uses to communicate with the Engine, so
everything the Docker client can do can be done with the API."
]],
references = {
'https://pyperanger.github.io/2018/01/18/docker-api/',
'https://docs.docker.com/engine/api/v1.24/'
}
}
if response.status == 200 and string.match(response.header["server"], "Docker") then
gver = http.get(host, port, "/version")
version["Server /version"] = gver.body:gsub(",","\n\t")
else
return
end
local res_unauth = http.get(host, port, "/images/search?term=ubuntu")
if res_unauth.status == 200 then
vuln["Server /version"] = gver.body:gsub(",","\n\t")
return vuln
else
return version
end
end