博文

目前显示的是 六月, 2020的博文

Docker's latest version of privilege escalation vulnerability

图片
0x00 Vulnerability analysis 1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions 2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command 2.1 vmnet_handshake_Perform 2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows packet-1: flag c00009a318  56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00  VMN3T........... c00009a328  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...