Docker's latest version of privilege escalation vulnerability
0x00 Vulnerability analysis
1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions
2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command
2.1 vmnet_handshake_Perform
2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows
packet-1: flag
c00009a318 56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00 VMN3T...........
c00009a328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
packet-2:version
c00009a328 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
c00009a338 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
packet-3:client hash
c0000e80c0 30 33 35 36 61 36 66 32 33 66 30 38 36 61 38 31 0356a6f23f086a81
c0000e80d0 33 34 64 38 33 65 65 33 38 64 39 39 66 66 65 35 34d83ee38d99ffe5
c0000e80e0 35 61 31 32 31 66 30 32 00 00 00 00 00 00 00 00 5a121f02........
2.1.2 Then call vmnet_handshake_writeInitMessage to respond to the client's request and call vmnet_handshake_readCommand to get the client's requested command (the message is 1 byte in size)
2.2 vmnetd_commands_Handle
2.2.1 vmnetd_commands_Handle will call the corresponding callback function (vmnetd_commands_handlers) according to the corresponding command. The function call table is as follows
2.2.2 The vmnetd_commands_handlers callback function will be initialized in the vmnetd_commands_init function according to the corresponding command
2.3 vmnetd_commands_handleInstallSymlinks
2.3.1 After the function obtains the message requested by the client (installation path information), set the corresponding symbolic link in the /usr/local/bin/ directory to point to the corresponding binary program; later set the file permissions through vmnetd_commands_doSymlink
0x01 Exploit
1.Create a test file in the /var/log directory
2.After compiling and running poc_docker, test file permissions will be modified
1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions
2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command
2.1 vmnet_handshake_Perform
2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows
packet-1: flag
c00009a318 56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00 VMN3T...........
c00009a328 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
packet-2:version
c00009a328 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
c00009a338 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
packet-3:client hash
c0000e80c0 30 33 35 36 61 36 66 32 33 66 30 38 36 61 38 31 0356a6f23f086a81
c0000e80d0 33 34 64 38 33 65 65 33 38 64 39 39 66 66 65 35 34d83ee38d99ffe5
c0000e80e0 35 61 31 32 31 66 30 32 00 00 00 00 00 00 00 00 5a121f02........
2.1.2 Then call vmnet_handshake_writeInitMessage to respond to the client's request and call vmnet_handshake_readCommand to get the client's requested command (the message is 1 byte in size)
2.2 vmnetd_commands_Handle
2.2.1 vmnetd_commands_Handle will call the corresponding callback function (vmnetd_commands_handlers) according to the corresponding command. The function call table is as follows
2.2.2 The vmnetd_commands_handlers callback function will be initialized in the vmnetd_commands_init function according to the corresponding command
2.3 vmnetd_commands_handleInstallSymlinks
2.3.1 After the function obtains the message requested by the client (installation path information), set the corresponding symbolic link in the /usr/local/bin/ directory to point to the corresponding binary program; later set the file permissions through vmnetd_commands_doSymlink
0x01 Exploit
1.Create a test file in the /var/log directory
2.After compiling and running poc_docker, test file permissions will be modified
Hi! University student here. Me and my friends are writing a report on this cve, was wondering if you could share the poc_docker.c file with us? It would be a great help!
回复删除The great part about this method is that you can do it from the comfort of your own home, with the only cost being the materials you'll need. The Jerry G Method The Jerry G method is a way of removing drug traces from your hair. In an old marijuana forum, a popular cannabis user who went by the handle Jerry G invented the approach in 2008. Pros • Contains natural urine compounds • Perfect pH balance and consistency • Very easy to use • Has a built-in heat source Cons • Pricier than other brands • Short shelf life Hey, drug tests are no joke, so it’s only right that you take it as seriously as you can. And if you regularly hit the pipe, then you know a simple cleanse won’t do, especially if it’s one of those dreaded surprise drug tests you’re talking about. Worry not, my skeevy stoner friend, because you can always use the Clear Choice Incognito Belt synthetic urine kit: it’s perhaps the absolute best fake pee you can get in the market right now, and rightfully so.
回复删除