Docker's latest version of privilege escalation vulnerability

0x00 Vulnerability analysis

1.com.docker.vmnetd is a launch service that runs at root authority; communicates with the client (Docker) through a local socket; after analysis, it is found that the client is not verified during the communication process, resulting in the risk of elevated permissions

2. The two main functions in main_handle are vmnet_handshake_Perform and vmnetd_commands_Handle; vmnet_handshake_Perform function mainly initializes the message and obtains the corresponding client command. vmnetd_commands_Handle function calls the corresponding callback function according to the obtained command


2.1 vmnet_handshake_Perform
2.1.1 First obtain the initialization message (3 packets) requested by the client through vmnet_handshake_readInitMessage. The message structure is as follows

packet-1: flag
c00009a318  56 4d 4e 33 54 00 00 00 00 00 00 00 00 00 00 00  VMN3T...........
c00009a328  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

packet-2:version
c00009a328  01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
c00009a338  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................

packet-3:client hash
c0000e80c0  30 33 35 36 61 36 66 32 33 66 30 38 36 61 38 31  0356a6f23f086a81
c0000e80d0  33 34 64 38 33 65 65 33 38 64 39 39 66 66 65 35  34d83ee38d99ffe5
c0000e80e0  35 61 31 32 31 66 30 32 00 00 00 00 00 00 00 00  5a121f02........

2.1.2 Then call vmnet_handshake_writeInitMessage to respond to the client's request and call vmnet_handshake_readCommand to get the client's requested command (the message is 1 byte in size)


2.2 vmnetd_commands_Handle
2.2.1 vmnetd_commands_Handle will call the corresponding callback function (vmnetd_commands_handlers) according to the corresponding command. The function call table is as follows


2.2.2 The vmnetd_commands_handlers callback function will be initialized in the vmnetd_commands_init function according to the corresponding command


2.3 vmnetd_commands_handleInstallSymlinks
2.3.1 After the function obtains the message requested by the client (installation path information), set the corresponding symbolic link in the /usr/local/bin/ directory to point to the corresponding binary program; later set the file permissions through vmnetd_commands_doSymlink



0x01 Exploit
1.Create a test file in the /var/log directory
2.After compiling and running poc_docker, test file permissions will be modified






评论

此博客中的热门博文

Opencart-v3-0-3-0 user changes password at csrf vulnerability

Integer overflow vulnerability in pycryptodome module