关联漏洞
标题:
Docker Desktop 安全漏洞
(CVE-2025-9074)
描述:Docker Desktop是美国Docker公司的一个基于容器技术的用于轻量化部署应用的桌面软件。该产品可提供桌面环境可支持在Linux/Windows/Mac OS系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 Docker Desktop存在安全漏洞,该漏洞源于本地Linux容器可访问Docker Engine API,可能导致执行特权命令。
描述
Proof-of-Concept exploit for CVE-2025-9074 - Unauthenticated Docker API exposure allowing arbitrary container creation and host filesystem access.
介绍
# CVE-2025-9074 - Docker API Unauthenticated Access PoC
## 📌 Overview
This repository provides a Proof-of-Concept (PoC) exploit for **CVE-2025-9074**, which involves unauthenticated exposure of the Docker Engine API on TCP port `2375`.
An attacker who can access this exposed API can:
- Interact with the Docker daemon without authentication.
- Pull arbitrary images.
- Create and run containers with **bind mounts to the host filesystem**, resulting in host compromise.
---
## ⚠️ Legal Disclaimer
This PoC is released **for educational and authorized security testing purposes only**.
Unauthorized exploitation of systems is illegal and unethical.
Use this PoC only on environments you **own** or have **explicit permission** to test.
---
## 🧪 Vulnerability Details
- **CVE ID:** [CVE-2025-9074](https://nvd.nist.gov/vuln/detail/CVE-2025-9074)
- **Affected Component:** Docker Engine API (TCP)
- **Default Port:** `2375`
- **Attack Type:** Remote, unauthenticated
- **Impact:** Full host filesystem access via malicious container
---
## 🛠️ Requirements
- Python 3.x
- `requests` library
Install dependencies:
```bash
pip install requests
````
---
## 🧰 Local Testing Setup
If you're testing this PoC on your local machine, make sure the Docker API is exposed over TCP without TLS.
On **Docker Desktop**, follow these steps:
1. Open **Docker Desktop**.
2. Go to **Settings → General**.
3. Scroll down to **"Expose daemon on tcp://localhost:2375 without TLS"**.
4. ✅ Check this option.
5. Click **Apply & Restart**.
⚠️ **Warning:** This option disables authentication on the Docker API.
Any local or remote attacker who can reach `localhost:2375` can control your Docker daemon.
Only enable this in isolated testing environments — **never in production**.
Once enabled, you can verify with:
```bash
curl http://127.0.0.1:2375/info
```
If the API responds with JSON containing `"ServerVersion"`, then the daemon is exposed correctly.
---
## 🚀 Usage
```bash
# Clone this repository
git clone https://github.com/<your-username>/CVE-2025-9074-POC.git
cd CVE-2025-9074-POC
# Run the PoC
python3 poc_cve_2025_9074.py <target_ip>:2375
```
If no target is provided, the script will prompt for input and default to `127.0.0.1:2375`.
---
## 🧰 PoC Steps
1. **Check API availability**
Confirms if the Docker API responds to `/info`.
2. **Pull `alpine` image**
Ensures the required base image is available.
3. **Prepare malicious container payload**
Creates a container with host filesystem bind-mounted at `/mnt`.
4. **Create the container**
Sends a container creation request.
5. **Start the container**
Container is started, providing access to the host filesystem.
6. **Post-exploitation**
Example:
```bash
docker exec -it <container_id> sh
ls /mnt
```
---
## 🧠 Mitigation
* **Disable** `Expose daemon on tcp://localhost:2375 without TLS` in Docker Desktop after testing.
* Use **TLS certificates** if remote API exposure is required.
* **Restrict network access** to the Docker daemon (port 2375) using firewall rules.
* Consider using service mesh / network policies to limit exposure.
---
## 🧑💻 Author
* **OilSeller2001**
* GitHub: [https://github.com/oilseller2001](https://github.com/oilseller2001)
*PoC script co-developed with Gemini AI during research.*
---
## 🪪 License
This PoC is released under the [MIT License](LICENSE).
---
文件快照
[4.0K] /data/pocs/acbd7528bb068f4702951b009a4a6288f932b86d
├── [1.0K] LICENSE
├── [5.3K] poc_cve_2025_9074.py
└── [3.4K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。