Docker login dangers

Vulnerability

During a recent engagement, I was doing some post exploitation work on a container once I had gotten root (looking for reused ssh keys and the like for lateral movement). After some time, I happened upon this file: /root/.docker/config.json and was rewarded with base64 encoded credentials.

Cause

Upon further investigation, it turns out this was the result of using docker login to access a local docker registry, and failing to use docker logout as part of the provisioning process that was in place.

Fix

The resolution is pretty simple: if you use docker login, don't forget to use docker logout once you're done. Alternatively, the page for docker login recommends using a credentials store like keychain for OS X, which seems like a reasonable alternative to me.

Resources

https://docs.docker.com/engine/reference/commandline/login/#extended-description