关联漏洞
标题:
Docker 操作系统命令注入漏洞
(CVE-2019-5736)
描述:Docker是美国Docker公司的一款开源的应用容器引擎。该产品支持在Linux系统上创建一个容器(轻量级虚拟机)并部署和运行应用程序,以及通过配置文件实现应用程序的自动化安装、部署和升级。 Docker 18.09.2之前版本和其他产品中的runc 1.0-rc6及之前版本中存在安全漏洞,该漏洞源于程序没有正确地处理文件描述符。攻击者可利用该漏洞覆盖主机runc的二进制文件并以root权限执行命令。
描述
In this project, we found a recent attack through the malicious container and implemented a security mechanism to stop it.
介绍
# CVE-2019-5736-attack-and-security-mechanism
In this project, we found a recent attack through the malicious container and implemented a security mechanism to stop it.
## **Introduction**
Cyber-attacks have become a critical challenge for both companies and small businesses, largely due to vulnerabilities in various components of their IT resources. Understanding these threats is the first step in safeguarding an organization's data and assets. Common forms of attacks include malware, ransomware, and phishing. Recent studies highlight the increasing prevalence of attacks targeting container infrastructures. Adversaries often exploit misconfigured containers by locating them through public search engines and scanning tools.
Thus, in this project, we have implemented an attack using a CVE-2019-5736 Docker vulnerability and identified a security mechanism to prevent an attack.
## **Attack Implementation and Execution**
We have used the following setup to safely implement an attack and security mechanism. On the base machine with Windows OS, the VMware workstation has been deployed with the Ubuntu 18.04 OS virtual machine. In addition, the Docker 18.03.1-ce (Runc 1.0.0-rc5) container application has been installed on the Ubuntu 18.04.
The "usr/docker/runc" is a sensitive executable internal file that any third user should not be able to modify. However, Docker version 18.03 has the vulnerability due which it will not log the modification of the "runc" docker file; as a result, the attacker can use this vulnerability to modify the "usr/docker/runc" file and get root access to our Linux system.
1) We create a backup of the "usr/docker/runc" file and its hash to confirm the modification of this file after the attack execution.
2) We add malicious scripts to the container setup, which will modify the "usr/docker/runc" file after a typical user runs the malformed container.
3) We built the container
4) The Attacker sets a listener on its device (in this case it is our Windows machine) for a specific port number mentioned in malicious scripts (e.g. port number 1234). Whenever the user runs that container, the attacker will be connected to the user's machine with root access.
5) We run the malformed container
As a result:
- The attacker is connected to the user's machine with the root access privileges
- The hash value of the "usr/docker/runc" file after the attack is not equal to the backup file hash, meaning that the attack was successful
## **Security Mechanism**
The root cause of this vulnerability is the capability of the malicious docker image to alter the “/usr/docker/runc” file and include the hostile code in the executable file.
To stop this attack from happening we use "Chattr" command to make the “/usr/docker/runc” file immutable. As a result, the exploit fails to run and there is no response on the attacker's side.
The security mechanism we have applied indeed stops the attack, meaning that we could prevent the malicious code from exploiting the vulnerability of that specific docker file we have found. For the security mechanism, we could not use 'chmod' command because in this specific vulnerability we used, root access is granted to the attack. Thus, the "chmod" command could not prevent an attack.
## **Summary**
In this project we chose to implement an attack that exploited the CVE-2019-5736 vulnerability with the HIGH CVSS score, which gives and attacker remote access to the user's machine with root privileges. We successfully executed the attack and found the security mechanism to prevent it.
Challenges:
- Installation of older Docker version
- Modifying the available exploit code to run an attack
文件快照
[4.0K] /data/pocs/8f3a2bf155eeb2968f33ebc3d5931d2ce5c38333
├── [3.6K] README.md
└── [1.5M] Report - vulnerability exploit and security mechanism.pdf
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。