We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
执行runc-pwn模块,报出cannot find RunC process inside container, exit.之后,直接退出,没发生任何事就Finished。
cannot find RunC process inside container, exit.
在87行的if判断中直接return退出了函数,导致宿主机还没来得及执行exec命令,目标容器就已经退出了pid的监听。一开始宿主机创建容器时runc执行完就退出了,无法获取runc的pid。
CDK/pkg/exploit/docker_runc.go Lines 87 to 90 in b0ca845 if found == -1 { fmt.Println("\tcannot find RunC process inside container, exit.") return }
CDK/pkg/exploit/docker_runc.go
Lines 87 to 90 in b0ca845
1、执行 cdk evaluate --full 的返回结果
cdk evaluate --full
$ ./cdk evaluate --full CDK (Container DucK) CDK Version(GitCommit): Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/ [ Information Gathering - System Info ] 2023/03/12 02:16:25 current dir: / 2023/03/12 02:16:25 current user: root uid: 0 gid: 0 home: /root 2023/03/12 02:16:25 hostname: 807f6b85cc1e 2023/03/12 02:16:25 debian ubuntu 18.04 kernel: 4.4.0-210-generic 2023/03/12 02:16:25 Setuid files found: /usr/bin/chfn /usr/bin/chsh /usr/bin/gpasswd /usr/bin/newgrp /usr/bin/passwd /bin/mount /bin/su /bin/umount [ Information Gathering - Services ] [ Information Gathering - Commands and Capabilities ] 2023/03/12 02:16:25 available commands: find,ps,apt,dpkg,mount,fdisk,base64,perl 2023/03/12 02:16:25 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb): CapInh: 00000000a80425fb CapPrm: 00000000a80425fb CapEff: 00000000a80425fb CapBnd: 00000000a80425fb CapAmb: 0000000000000000 Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP [*] Maybe you can exploit the Capabilities below: [ Information Gathering - Mounts ] 0:41 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/YCLLF3QMOQWI6RXE5WOEML3MWH:/var/lib/docker/overlay2/l/T75S3NZRBNEIAZ6L3SOODUELSG:/var/lib/docker/overlay2/l/TQUPTPF5JE77BTN7SPW3C4EZ2C:/var/lib/docker/overlay2/l/HXM2EF5BE7N4OJVLYPMFSUAT2X,upperdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/diff,workdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/work 0:44 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw 0:45 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755 0:46 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666 0:47 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro 0:48 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755 0:23 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd 0:25 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer 0:26 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices 0:27 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio 0:28 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio 0:29 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct 0:30 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb 0:31 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event 0:32 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset 0:33 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory 0:34 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids 0:43 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw 253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda1 rw,data=ordered 253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hostname /etc/hostname rw,relatime - ext4 /dev/vda1 rw,data=ordered 253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hosts /etc/hosts rw,relatime - ext4 /dev/vda1 rw,data=ordered 0:42 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k 0:46 /0 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666 0:44 /bus /proc/bus ro,relatime - proc proc rw 0:44 /fs /proc/fs ro,relatime - proc proc rw 0:44 /irq /proc/irq ro,relatime - proc proc rw 0:44 /sys /proc/sys ro,relatime - proc proc rw 0:44 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw 0:45 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755 0:45 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755 0:45 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755 0:45 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755 0:49 / /proc/scsi ro,relatime - tmpfs tmpfs ro 0:50 / /sys/firmware ro,relatime - tmpfs tmpfs ro [ Information Gathering - Net Namespace ] container net namespace isolated. [ Information Gathering - Sysctl Variables ] 2023/03/12 02:16:25 net.ipv4.conf.all.route_localnet = 0 [ Information Gathering - DNS-Based Service Discovery ] error when requesting coreDNS: lookup any.any.svc.cluster.local. on 223.5.5.5:53: no such host error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 223.5.5.5:53: no such host [ Discovery - K8s API Server ] 2023/03/12 02:16:25 checking if api-server allows system:anonymous request. err found while searching local K8s apiserver addr.: err: cannot find kubernetes api host in ENV api-server forbids anonymous request. response: [ Discovery - K8s Service Account ] load K8s service account token error.: open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory [ Discovery - Cloud Provider Metadata API ] 2023/03/12 02:16:25 failed to dial Alibaba Cloud API. 2023/03/12 02:16:26 failed to dial Azure API. 2023/03/12 02:16:26 failed to dial Google Cloud API. 2023/03/12 02:16:26 failed to dial Tencent Cloud API. OpenStack Metadata API available in http://169.254.169.254/openstack/latest/meta_data.json Docs: https://docs.openstack.org/nova/rocky/user/metadata-service.html Amazon Web Services (AWS) Metadata API available in http://169.254.169.254/latest/meta-data/ Docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html 2023/03/12 02:16:27 failed to dial ucloud API. [ Exploit Pre - Kernel Exploits ] 2023/03/12 02:16:27 refer: https://github.com/mzet-/linux-exploit-suggester [+] [CVE-2017-16995] eBPF_verifier Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html Exposure: probable Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic} Download URL: https://www.exploit-db.com/download/45010 Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 [+] [CVE-2016-5195] dirtycow Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: probable Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04 Download URL: https://www.exploit-db.com/download/40611 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2016-5195] dirtycow 2 Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails Exposure: probable Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://www.exploit-db.com/download/40839 ext-url: https://www.exploit-db.com/download/40847 Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh [+] [CVE-2021-27365] linux-iscsi Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html Exposure: less probable Tags: RHEL=8 Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled [+] [CVE-2021-22555] Netfilter heap out-of-bounds write Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html Exposure: less probable Tags: ubuntu=20.04{kernel:5.8.0-*} Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c Comments: ip_tables kernel module must be loaded [+] [CVE-2019-15666] XFRM_UAF Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc Exposure: less probable Download URL: Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled [+] [CVE-2017-7308] af_packet Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html Exposure: less probable Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels [+] [CVE-2017-6074] dccp Details: http://www.openwall.com/lists/oss-security/2017/02/22/3 Exposure: less probable Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic} Download URL: https://www.exploit-db.com/download/41458 Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass [+] [CVE-2017-1000253] PIE_stack_corruption Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt Exposure: less probable Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1} Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c [+] [CVE-2017-1000112] NETIF_F_UFO Details: http://www.openwall.com/lists/oss-security/2017/08/13/1 Exposure: less probable Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*} Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels [+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 Exposure: less probable Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only [+] [CVE-2016-8655] chocobo_root Details: http://www.openwall.com/lists/oss-security/2016/12/06/1 Exposure: less probable Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic} Download URL: https://www.exploit-db.com/download/40871 Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled [+] [CVE-2016-4997] target_offset Details: https://www.exploit-db.com/exploits/40049/ Exposure: less probable Tags: ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip Comments: ip_tables.ko needs to be loaded [+] [CVE-2016-4557] double-fdput() Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808 Exposure: less probable Tags: ubuntu=16.04{kernel:4.4.0-21-generic} Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1 [+] [CVE-2016-2384] usb-midi Details: https://xairy.github.io/blog/2016/cve-2016-2384 Exposure: less probable Tags: ubuntu=14.04,fedora=22 Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user [+] [CVE-2016-0728] keyring Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ Exposure: less probable Download URL: https://www.exploit-db.com/download/40003 Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working [ Information Gathering - Sensitive Files ] .dockerenv - /.dockerenv /.bashrc - /etc/skel/.bashrc /.bashrc - /root/.bashrc [ Information Gathering - ASLR ] 2023/03/12 02:16:29 /proc/sys/kernel/randomize_va_space file content: 2 2023/03/12 02:16:29 ASLR is enabled. [ Information Gathering - Cgroups ] 2023/03/12 02:16:29 /proc/1/cgroup file content: 11:pids:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 10:memory:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 9:cpuset:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 8:perf_event:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 7:hugetlb:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 6:cpu,cpuacct:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 5:net_cls,net_prio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 4:blkio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 3:devices:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 2:freezer:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 1:name=systemd:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope 2023/03/12 02:16:29 /proc/self/cgroup file added content (compare pid 1) :
2、完整错误信息
root@807f6b85cc1e:/# ./cdk run runc-pwn "echo 'hello,host' > /tmp/haha.escape" 2023/03/12 02:15:28 THIS EXPLOIT WILL OVERWRITE RUNC BINARY AND BREAK CI/CD, BACKUP YOUR RUNC BINARY FIRST! 2023/03/12 02:15:28 Shellcode will be trigger when an execve() call in container or the container is manually stopped. 2023/03/12 02:15:28 Exploit CVE-2019-5736 with shellcode commands: echo 'hello,host' > /tmp/haha.escape [0xc0001ccb60 0xc0001ccc30 0xc0001c81a0 0xc0001c9ba0 0xc00008dc70 0xc0001c8f70 0xc0001c9040 0xc0001c9790 0xc0001c9110 0xc0001c8a90 0xc0001c91e0 0xc0001c9c70 0xc00008dd40 0xc0001c8b60 0xc0001cc340 0xc00008dad0 0xc0001cc410 0xc00008dba0 0xc0001c9ee0 0xc0001c8750 0xc0001c92b0 0xc00008de10 0xc0001c9860 0xc0001c8820 0xc0001c9d40 0xc0001c8270 0xc0001c8340 0xc0001cc4e0 0xc0001cc000 0xc0001cc0d0 0xc0001c9380 0xc0001c88f0 0xc0001c8c30 0xc0001c9450 0xc0001c8410 0xc0001c9520 0xc0001c8d00 0xc0001c84e0 0xc00008dee0 0xc0001cc750 0xc0001cc1a0 0xc0001cc5b0 0xc0001c9e10 0xc0001c85b0 0xc0001cc9c0 0xc0001c9930 0xc0001c9a00 0xc0001c8680 0xc0001c89c0 0xc0001c8000 0xc0001cc820 0xc0001c95f0 0xc0001cca90 0xc0001cc270 0xc0001c80d0 0xc0001c8dd0 0xc0001c96c0 0xc0001cc8f0 0xc0001cc680 0xc0001c8ea0 0xc0001c9ad0] /bin/bash ./cdkrunrunc-pwnecho 'hello,host' > /tmp/haha.escape cannot find RunC process inside container, exit. 2023/03/12 02:15:28 Finished.
The text was updated successfully, but these errors were encountered:
hello, 你的意思是指
if found == -1 { fmt.Println("\tcannot find RunC process inside container, exit.")
这个逻辑应该放到for循环内,而且应该用 continue 而不是 return?
Sorry, something went wrong.
是的,我理解利用流程是攻击者在目标容器中用for循环等待host执行runc并匹配捕捉,代码可以参考您在注释中提到的poc。
https://github.com/Frichetten/CVE-2019-5736-PoC/blob/cee0c9f45cbd8d5353e01aec2edbcad5170d39ec/main.go#L44
hello, 你的意思是指 if found == -1 { fmt.Println("\tcannot find RunC process inside container, exit.") 这个逻辑应该放到for循环内,而且应该用 continue 而不是 return?
我觉得这个地方没必要改。 因为cve-2019-5736本来就是一个条件竞争的洞,需要在runc init进程位于容器内时,修改runc完成攻击。如果当前/proc内已经找不到runc,说明runc已经退出容器,没有必要重复循环。参见:https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/ 如果还是考虑把上面的代码放到循环中,注意调用ioutil.ReadDir("/proc"),更新进程信息。 (p.s. :neargle师傅的my-re0-k8s-security写得好好!)
No branches or pull requests
问题描述
执行runc-pwn模块,报出
cannot find RunC process inside container, exit.
之后,直接退出,没发生任何事就Finished。在87行的if判断中直接return退出了函数,导致宿主机还没来得及执行exec命令,目标容器就已经退出了pid的监听。一开始宿主机创建容器时runc执行完就退出了,无法获取runc的pid。
附加信息(Additional Information)
1、执行
cdk evaluate --full
的返回结果2、完整错误信息
The text was updated successfully, but these errors were encountered: