关联漏洞
标题:
Linux kernel 安全漏洞
(CVE-2022-0847)
描述:Linux kernel是美国Linux基金会的开源操作系统Linux所使用的内核。 Linux kernel 存在安全漏洞,该漏洞源于新管道缓冲区结构的“flag”变量在 Linux 内核中的 copy_page_to_iter_pipe 和 push_pipe 函数中缺乏正确初始化。非特权本地用户利用该漏洞可以提升权限至root。以下产品和版本受到影响:Linux Kernel 5.8-5.16.11、5.8-5.15.25、5.8-5.10.102。
描述
CVE-2022-0847 used to achieve container escape 利用CVE-2022-0847 (Dirty Pipe) 实现容器逃逸
介绍
# CVE-2022-0847
CVE-2022-0847 used to achieve container escape (overwrite any read-only files on host)
Slides (in Chinese) available [here](./slides-zh.pdf)
利用CVE-2022-0847 (Dirty Pipe) 实现容器逃逸(效果为覆写宿主机上任意只读文件)
中文汇报PPT在[这里](./slides-zh.pdf)
## Introduction
If the kernel is vulnerable to CVE-2022-0847, the attacker can overwrite read-only files (Non-persistent! Visit https://dirtypipe.cm4all.com/ for more details). However, container can only access files inside container. Fortunately, when given `CAP_DAC_READ_SEARCH`, attacker can now overwrite files on host!
## Explanation
As https://dirtypipe.cm4all.com/ explains, to overwrite a read-only file, we should `splice()` it to pipe. To use `splice()`, we must first open target file with `O_RDONLY` flag to get a **file descriptor**.
That's when `CAP_DAC_READ_SEARCH` came into my mind. According to [Linux manual](https://man7.org/linux/man-pages/man7/capabilities.7.html), when given `CAP_DAC_READ_SEARCH`, attacker inside container can:
+ Bypass file read permission checks and directory read and execute permission checks
+ invoke open_by_handle_at(2)
With capability `CAP_DAC_READ_SEARCH`, we can search host filesystem and use `open_by_handle_at(2)` to read-only open any files on host from container, getting its **file descriptor** (Visit http://stealth.openwall.net/xSports/shocker.c for more details).
Now that we've got **file descriptor** of target file on host, we can of course use `splice()` to send target file content to pipe, and then overwrite it!
## Usage
```bash
cp /etc/password . # back up /etc/password
gcc dp.c -o dp
docker run --rm -it -v $(pwd):/exp --cap-add=CAP_DAC_READ_SEARCH ubuntu
/exp/dp /etc/passwd 1 ootz: # overwrite /etc/password on host from offset 1
/etc/dp /etc/passwd # dump /etc/passwd on host
```
## Example
First, create a read-only file `/home/vagrant/flag.txt` by root user on host, content of which is `hello world`:
Then, start a container with capability `CAP_DAC_READ_SEARCH`, first try to dump `/home/vagrant/flag.txt` on host, we get `hello world`:
then try to overwrite target file from offset 1 with content `abcdefghij`:
dump target file again, now the content is `habcdefghij`! Exit container and check `/home/vagrant/flag.txt` on host, its content is `habcdefghij`.
Yes, we just overwrote a file on host from container!
## Credits
+ https://dirtypipe.cm4all.com/
+ http://stealth.openwall.net/xSports/shocker.c
文件快照
[4.0K] /data/pocs/6a79061343150b489769299ae3c511ef68dcaf54
├── [6.0K] dp.c
├── [4.0K] images
│ ├── [ 53K] dump-1.png
│ ├── [ 33K] dump.png
│ ├── [ 35K] touch.png
│ └── [ 31K] write.png
├── [1.0K] LICENSE
├── [2.5K] README.md
└── [754K] slides-zh.pdf
1 directory, 8 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。