socks5-server icon indicating copy to clipboard operation
socks5-server copied to clipboard
verified publisher icon serjs

security: can access other containers' private ports by default

Open WofWca opened this issue 11 months ago • 0 comments

The default setup (no ALLOWED_DEST_FQDN used`) allows the SOCKS proxy client to access private addresses of the machine on which the SOCKS server is running on. In particular, it can access the services running on other Docker containers with the default network (bridge).

PoC:

  1. docker run -d --name socks5 -p 1080:1080 serjs/go-socks5-proxy.

  2. docker run --rm --name web-test crccheck/hello-world to launch a server. Note that we don't use -p to publish a port!

  3. docker network inspect bridge | grep "hello-world-server" -A 5 to find the IP of the HTTP server.

  4. Now, use another machine to connect to the SOCKS server. Run

    curl --proxy "socks5://localhost:2080" http://172.42.0.3:8000

    Replace 172.42.0.3 with the IP address from step 3.

You got the response! But perhaps you shouldn't have. I say only public IPs should be accessible by default, especially given that this project seems to be noob-oriented. At least we should have a warning in the README.

WofWca avatar Jan 16 '25 13:01 WofWca