Docker's latest version of privilege escalation vulnerability
0x00 Vulnerability analysis 1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions 2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command 2.1 vmnet_handshake_Perform 2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows packet-1: flag c00009a318 56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00 VMN3T........... c00009a328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...