exploit模块下runc-pwn直接退出

[ABILLEST]

问题描述

执行runc-pwn模块，报出cannot find RunC process inside container, exit.之后，直接退出，没发生任何事就Finished。

在87行的if判断中直接return退出了函数，导致宿主机还没来得及执行exec命令，目标容器就已经退出了pid的监听。一开始宿主机创建容器时runc执行完就退出了，无法获取runc的pid。

CDK/pkg/exploit/docker_runc.go

Lines 87 to 90 in b0ca845

	if found == -1 {
	fmt.Println("\tcannot find RunC process inside container, exit.")
	return
	}

附加信息(Additional Information)

1、执行 cdk evaluate --full 的返回结果

$ ./cdk evaluate --full

CDK (Container DucK)
CDK Version(GitCommit):
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[  Information Gathering - System Info  ]
2023/03/12 02:16:25 current dir: /
2023/03/12 02:16:25 current user: root uid: 0 gid: 0 home: /root
2023/03/12 02:16:25 hostname: 807f6b85cc1e
2023/03/12 02:16:25 debian ubuntu 18.04 kernel: 4.4.0-210-generic
2023/03/12 02:16:25 Setuid files found:
        /usr/bin/chfn
        /usr/bin/chsh
        /usr/bin/gpasswd
        /usr/bin/newgrp
        /usr/bin/passwd
        /bin/mount
        /bin/su
        /bin/umount

[  Information Gathering - Services  ]

[  Information Gathering - Commands and Capabilities  ]
2023/03/12 02:16:25 available commands:
        find,ps,apt,dpkg,mount,fdisk,base64,perl
2023/03/12 02:16:25 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
        CapInh: 00000000a80425fb
        CapPrm: 00000000a80425fb
        CapEff: 00000000a80425fb
        CapBnd: 00000000a80425fb
        CapAmb: 0000000000000000
        Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:

[  Information Gathering - Mounts  ]
0:41 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/YCLLF3QMOQWI6RXE5WOEML3MWH:/var/lib/docker/overlay2/l/T75S3NZRBNEIAZ6L3SOODUELSG:/var/lib/docker/overlay2/l/TQUPTPF5JE77BTN7SPW3C4EZ2C:/var/lib/docker/overlay2/l/HXM2EF5BE7N4OJVLYPMFSUAT2X,upperdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/diff,workdir=/var/lib/docker/overlay2/c1946e06500cb5afce2ebe698b81e2996dbb67c3b38e23fa225aeb8e3a457cf7/work
0:44 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:45 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:46 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:47 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:48 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:23 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd
0:25 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:26 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:27 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:28 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
0:29 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
0:30 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:31 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:32 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:33 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:34 /system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:43 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/vda1 rw,data=ordered
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hostname /etc/hostname rw,relatime - ext4 /dev/vda1 rw,data=ordered
253:1 /var/lib/docker/containers/807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83/hosts /etc/hosts rw,relatime - ext4 /dev/vda1 rw,data=ordered
0:42 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
0:46 /0 /dev/console rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:44 /bus /proc/bus ro,relatime - proc proc rw
0:44 /fs /proc/fs ro,relatime - proc proc rw
0:44 /irq /proc/irq ro,relatime - proc proc rw
0:44 /sys /proc/sys ro,relatime - proc proc rw
0:44 /sysrq-trigger /proc/sysrq-trigger ro,relatime - proc proc rw
0:45 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:45 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:49 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:50 / /sys/firmware ro,relatime - tmpfs tmpfs ro

[  Information Gathering - Net Namespace  ]
        container net namespace isolated.

[  Information Gathering - Sysctl Variables  ]
2023/03/12 02:16:25 net.ipv4.conf.all.route_localnet = 0

[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 223.5.5.5:53: no such host
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 223.5.5.5:53: no such host

[  Discovery - K8s API Server  ]
2023/03/12 02:16:25 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
        api-server forbids anonymous request.
        response:

[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[  Discovery - Cloud Provider Metadata API  ]
2023/03/12 02:16:25 failed to dial Alibaba Cloud API.
2023/03/12 02:16:26 failed to dial Azure API.
2023/03/12 02:16:26 failed to dial Google Cloud API.
2023/03/12 02:16:26 failed to dial Tencent Cloud API.
        OpenStack Metadata API available in http://169.254.169.254/openstack/latest/meta_data.json
        Docs: https://docs.openstack.org/nova/rocky/user/metadata-service.html
        Amazon Web Services (AWS) Metadata API available in http://169.254.169.254/latest/meta-data/
        Docs: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html
2023/03/12 02:16:27 failed to dial ucloud API.

[  Exploit Pre - Kernel Exploits  ]
2023/03/12 02:16:27 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2017-16995] eBPF_verifier

   Details: https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
   Exposure: probable
   Tags: debian=9.0{kernel:4.9.0-3-amd64},fedora=25|26|27,ubuntu=14.04{kernel:4.4.0-89-generic},ubuntu=(16.04|17.04){kernel:4.(8|10).0-(19|28|45)-generic}
   Download URL: https://www.exploit-db.com/download/45010
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: probable
   Tags: debian=7|8,RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2016-5195] dirtycow 2

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: probable
   Tags: debian=7|8,RHEL=5|6|7,ubuntu=14.04|12.04,ubuntu=10.04{kernel:2.6.32-21-generic},ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://www.exploit-db.com/download/40839
   ext-url: https://www.exploit-db.com/download/40847
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

[+] [CVE-2021-27365] linux-iscsi

   Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
   Exposure: less probable
   Tags: RHEL=8
   Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
   Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

[+] [CVE-2019-15666] XFRM_UAF

   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL:
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled

[+] [CVE-2017-7308] af_packet

   Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.8.0-(34|36|39|41|42|44|45)-generic}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c
   Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels

[+] [CVE-2017-6074] dccp

   Details: http://www.openwall.com/lists/oss-security/2017/02/22/3
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-62-generic}
   Download URL: https://www.exploit-db.com/download/41458
   Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass

[+] [CVE-2017-1000253] PIE_stack_corruption

   Details: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.txt
   Exposure: less probable
   Tags: RHEL=6,RHEL=7{kernel:3.10.0-514.21.2|3.10.0-514.26.1}
   Download URL: https://www.qualys.com/2017/09/26/linux-pie-cve-2017-1000253/cve-2017-1000253.c

[+] [CVE-2017-1000112] NETIF_F_UFO

   Details: http://www.openwall.com/lists/oss-security/2017/08/13/1
   Exposure: less probable
   Tags: ubuntu=14.04{kernel:4.4.0-*},ubuntu=16.04{kernel:4.8.0-*}
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c
   Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels

[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE

   Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793
   Exposure: less probable
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c
   Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only

[+] [CVE-2016-8655] chocobo_root

   Details: http://www.openwall.com/lists/oss-security/2016/12/06/1
   Exposure: less probable
   Tags: ubuntu=(14.04|16.04){kernel:4.4.0-(21|22|24|28|31|34|36|38|42|43|45|47|51)-generic}
   Download URL: https://www.exploit-db.com/download/40871
   Comments: CAP_NET_RAW capability is needed OR CONFIG_USER_NS=y needs to be enabled

[+] [CVE-2016-4997] target_offset

   Details: https://www.exploit-db.com/exploits/40049/
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/40053.zip
   Comments: ip_tables.ko needs to be loaded

[+] [CVE-2016-4557] double-fdput()

   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808
   Exposure: less probable
   Tags: ubuntu=16.04{kernel:4.4.0-21-generic}
   Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip
   Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1

[+] [CVE-2016-2384] usb-midi

   Details: https://xairy.github.io/blog/2016/cve-2016-2384
   Exposure: less probable
   Tags: ubuntu=14.04,fedora=22
   Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c
   Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user

[+] [CVE-2016-0728] keyring

   Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/40003
   Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working



[  Information Gathering - Sensitive Files  ]
        .dockerenv - /.dockerenv
        /.bashrc - /etc/skel/.bashrc
        /.bashrc - /root/.bashrc

[  Information Gathering - ASLR  ]
2023/03/12 02:16:29 /proc/sys/kernel/randomize_va_space file content: 2
2023/03/12 02:16:29 ASLR is enabled.

[  Information Gathering - Cgroups  ]
2023/03/12 02:16:29 /proc/1/cgroup file content:
        11:pids:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        10:memory:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        9:cpuset:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        8:perf_event:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        7:hugetlb:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        6:cpu,cpuacct:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        5:net_cls,net_prio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        4:blkio:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        3:devices:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        2:freezer:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
        1:name=systemd:/system.slice/docker-807f6b85cc1e15c36d15620ad2411827fa238047f7eb916318cede3be20c2f83.scope
2023/03/12 02:16:29 /proc/self/cgroup file added content (compare pid 1) :

2、完整错误信息

root@807f6b85cc1e:/# ./cdk run runc-pwn "echo 'hello,host' > /tmp/haha.escape"
2023/03/12 02:15:28 THIS EXPLOIT WILL OVERWRITE RUNC BINARY AND BREAK CI/CD, BACKUP YOUR RUNC BINARY FIRST!
2023/03/12 02:15:28 Shellcode will be trigger when an execve() call in container or the container is manually stopped.
2023/03/12 02:15:28 Exploit CVE-2019-5736 with shellcode commands:  echo 'hello,host' > /tmp/haha.escape
[0xc0001ccb60 0xc0001ccc30 0xc0001c81a0 0xc0001c9ba0 0xc00008dc70 0xc0001c8f70 0xc0001c9040 0xc0001c9790 0xc0001c9110 0xc0001c8a90 0xc0001c91e0 0xc0001c9c70 0xc00008dd40 0xc0001c8b60 0xc0001cc340 0xc00008dad0 0xc0001cc410 0xc00008dba0 0xc0001c9ee0 0xc0001c8750 0xc0001c92b0 0xc00008de10 0xc0001c9860 0xc0001c8820 0xc0001c9d40 0xc0001c8270 0xc0001c8340 0xc0001cc4e0 0xc0001cc000 0xc0001cc0d0 0xc0001c9380 0xc0001c88f0 0xc0001c8c30 0xc0001c9450 0xc0001c8410 0xc0001c9520 0xc0001c8d00 0xc0001c84e0 0xc00008dee0 0xc0001cc750 0xc0001cc1a0 0xc0001cc5b0 0xc0001c9e10 0xc0001c85b0 0xc0001cc9c0 0xc0001c9930 0xc0001c9a00 0xc0001c8680 0xc0001c89c0 0xc0001c8000 0xc0001cc820 0xc0001c95f0 0xc0001cca90 0xc0001cc270 0xc0001c80d0 0xc0001c8dd0 0xc0001c96c0 0xc0001cc8f0 0xc0001cc680 0xc0001c8ea0 0xc0001c9ad0]
/bin/bash
./cdkrunrunc-pwnecho 'hello,host' > /tmp/haha.escape
        cannot find RunC process inside container, exit.
2023/03/12 02:15:28 Finished.

[neargle]

hello， 你的意思是指

	if found == -1 {
		fmt.Println("\tcannot find RunC process inside container, exit.")

这个逻辑应该放到for循环内，而且应该用 continue 而不是 return？

[ABILLEST]

是的，我理解利用流程是攻击者在目标容器中用for循环等待host执行runc并匹配捕捉，代码可以参考您在注释中提到的poc。

https://github.com/Frichetten/CVE-2019-5736-PoC/blob/cee0c9f45cbd8d5353e01aec2edbcad5170d39ec/main.go#L44

[upaskun]

hello， 你的意思是指

	if found == -1 {
		fmt.Println("\tcannot find RunC process inside container, exit.")

这个逻辑应该放到for循环内，而且应该用 continue 而不是 return？

我觉得这个地方没必要改。
因为cve-2019-5736本来就是一个条件竞争的洞，需要在runc init进程位于容器内时，修改runc完成攻击。如果当前/proc内已经找不到runc，说明runc已经退出容器，没有必要重复循环。参见：https://unit42.paloaltonetworks.com/breaking-docker-via-runc-explaining-cve-2019-5736/
如果还是考虑把上面的代码放到循环中，注意调用ioutil.ReadDir("/proc")，更新进程信息。
(p.s. :neargle师傅的my-re0-k8s-security写得好好!)