关联漏洞
标题:
Docker 操作系统命令注入漏洞
(CVE-2019-5736)
描述:Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 Docker 18.09.2之前版本和其他产品中的runc 1.0-rc6及之前版本中存在安全漏洞,该漏洞源于程序没有正确地处理文件描述符。攻击者可利用该漏洞覆盖主机runc的二进制文件并以root权限执行命令。
描述
CVE-2019-5736 implemented in a self-written container runtime to understand the exploit.
介绍
# CVE-2019-5736-Custom-Sandbox
## General
CVE-2019-5736 implemented using a shallow, self-written container runtime to understand the exploit.
Exploit is based on (and almost all copied from) the runc-poc by twistlock: https://github.com/twistlock/RunC-CVE-2019-5736/tree/master/malicious_image_POC
## Container Runtime (quarantine)
See code docs for further details.
```sh
Usage: quarantine [OPTIONS] [BINARY and its ARGS]
--rootfs: (mandatory) Specify a rootfs for the container.
--urange: Specify a urange start_host:end_host,start_guest.
--grange: Specify a grange start_host:end_host,start_guest.
--uid: Specify the desired UID in the container.
--ugd: Specify the desired GID in the container.
--supp: Append supplementary groups from the specified grange to the process running in the container.
```
Unshares all namespaces except for the user ns. User ns is unshared under special circumstances, i.e. when `urange`, `grange`, `uid` and / or `gid` are specified.
## Setup for the exploit
This was tested and done on Ubuntu 18.04.
1. Get a rootfs (bionic for example)
- `mkdir rootfs`
- `sudo debootstrap bionic ./rootfs`
2. Get libcap source
- `git clone https://github.com/mhiramat/libcap`
3. Modifiy libcap
- `cat exploit_code_for_shared_lib.c >> <any cap*.c, I used cap_alloc.c>`
- `make`
4. chroot into the rootfs and install libcap-dev so you can simply link to the modified `libcap.so`
- `sudo chroot rootfs`
- `apt install libcap-dev`
5. Copy the created `libcap.so.2.25` file into the appropriate rootfs dir
-`sudo cp libcap.so.2.25 rootfs/lib/x86_64-linux-gnu`
- *Note*: For me, there already was a link pointing at that exact libcap file version, so I haven't had to link it
- *Note*: This path might change, always look at where the compiled quarantine expects the libcap to be: `ldd quarantine`
6. Compile and copy the other files into the rootfs
- `sudo cp shebang_exploit rootfs/`
- `sudo gcc -o rootfs/root/payload payload.c`
- `sudo gcc -o rootfs/overwrite_sndbx_runtime overwrite_sndbx_runtime.c`
## Run exploit
For example: `sudo ./quarantine --rootfs rootfs /shebang_exploit` or `./quarantine --rootfs rootfs --uid 1 /shebang_exploit`.
It works as long as you either keep `CAP_DAC_OVERRIDE` or `CAP_SYS_ADMIN` on the host, i.e. don't unshare user ns when using sudo (since this drops caps in parent ns), or you own the file on the host.
文件快照
[4.0K] /data/pocs/434a1a14ecb069740169188733444e275130e556
├── [ 924] exploit_code_for_shared_lib.c
├── [2.9K] overwrite_sndbx_runtime.c
├── [ 17K] quarantine.cpp
└── [2.4K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。