diff --git a/云安全漏洞/Kubernetes + Ubuntu 18.04 漏洞环境搭建.md b/云安全漏洞/Kubernetes + Ubuntu 18.04 漏洞环境搭建.md index 682cfc7..c89d15e 100644 --- a/云安全漏洞/Kubernetes + Ubuntu 18.04 漏洞环境搭建.md +++ b/云安全漏洞/Kubernetes + Ubuntu 18.04 漏洞环境搭建.md @@ -7,12 +7,34 @@ 各组件版本如下: ``` -Docker version: 18.09.3 +Docker version: 18.09.3/19.03.6 minikube version: v1.35.0 Kubectl Client Version: v1.32.3 Kubectl Server Version: v1.32.0 ``` +本环境可用于复现以下漏洞: + +| 类别 | 漏洞名称 | CDK(v1.5.5) Exploit | 文档链接 | +| ---- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | +| 容器逃逸 | 挂载 docker.sock 导致容器逃逸 | [docker-sock-check](https://github.com/Xyntax/CDK/wiki/Exploit:-docker-sock-check)
[docker-sock-pwn](https://github.com/Xyntax/CDK/wiki/Exploit:-docker-sock-pwn) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%20docker.sock%20%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) | +| 容器逃逸 | 挂载 log 目录导致容器逃逸 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%20log%20%E7%9B%AE%E5%BD%95%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) | +| 容器逃逸 | 挂载宿主机 procfs 系统导致容器逃逸 | [mount-procfs](https://github.com/Xyntax/CDK/wiki/Exploit:-mount-procfs) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%E5%AE%BF%E4%B8%BB%E6%9C%BA%20procfs%20%E7%B3%BB%E7%BB%9F%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) | +| 容器逃逸 | Containerd 漏洞导致容器逃逸 CVE-2020-15257 | [shim-pwn](https://github.com/Xyntax/CDK/wiki/Exploit:-shim-pwn) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Containerd%20%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%20CVE-2020-15257.md) | +| 容器逃逸 | Docker copy 漏洞导致容器逃逸 CVE-2019-14271 | [docker-api-pwn](https://github.com/Xyntax/CDK/wiki/Exploit:-docker-api-pwn) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Docker%20copy%20%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%20CVE-2019-14271.md) | +| 容器逃逸 | 挂载重写 cgroup devices.allow 导致容器逃逸 | [rewrite-cgroup-devices](https://github.com/cdk-team/CDK/wiki/Exploit:-rewrite-cgroup-devices) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%E9%87%8D%E5%86%99%20cgroup%20devices.allow%20%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) | +| 容器逃逸 | Linux 内核 cgroups v1 逻辑错误导致容器逃逸 CVE-2022-0492 | [mount-cgroup](https://github.com/Xyntax/CDK/wiki/Exploit:-mount-cgroup) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Linux%20%E5%86%85%E6%A0%B8%20cgroup%20v1%20%E9%80%BB%E8%BE%91%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%20CVE-2022-0492.md) | +| 容器逃逸 | Kubernetes privileged 特权容器导致容器逃逸 | [mount-disk](https://github.com/Xyntax/CDK/wiki/Exploit:-mount-disk) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20privileged%20%E7%89%B9%E6%9D%83%E5%AE%B9%E5%99%A8%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) | +| 持久化 | Kubernetes 部署 Shadow API Server | [k8s-shadow-apiserver](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E9%83%A8%E7%BD%B2%20Shadow%20API%20Server.md) | +| 持久化 | Kubernetes 部署后门 CronJob | [k8s-cronjob](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-cronjob) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E9%83%A8%E7%BD%B2%E5%90%8E%E9%97%A8%20CronJob.md) | +| 持久化 | Kubernetes 部署后门 Daemonset | [k8s-backdoor-daemonset](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E9%83%A8%E7%BD%B2%E5%90%8E%E9%97%A8%20Daemonset.md) | +| 权限提升 | Kubernetes 利用 nodes proxy 子资源进行权限提升 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E5%88%A9%E7%94%A8%20nodes%20proxy%20%E5%AD%90%E8%B5%84%E6%BA%90%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87.md) | +| 命令执行 | Docker build 漏洞导致命令执行 CVE-2019-13139 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Docker%20build%20%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%20CVE-2019-13139.md) | +| 命令执行 | Docker daemon api 未授权访问漏洞 RCE | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Docker%20daemon%20api%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%20RCE.md) | +| 命令执行 | Kubernetes Ingress-nginx admission 远程代码执行漏洞 CVE-2025-1974 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20Ingress-nginx%20admission%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2025-1974.md) | +| 命令执行 | Kubernetes API Server 未授权命令执行 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20API%20Server%20%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C.md) | +| 信息窃取 | Kubernetes etcd 未授权访问 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20etcd%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md) | + ## 环境搭建 ### Docker 18.09.3 @@ -64,6 +86,8 @@ echo "✅ 安装完成,当前版本:" docker --version ``` +> 其他版本 Docker 修改 `18.09.3` 版本号即可。 + ### Kubectl v1.32.3 安装最新版本: diff --git a/云安全漏洞/Linux 内核 cgroup v1 逻辑错误导致容器逃逸 CVE-2022-0492.md b/云安全漏洞/Linux 内核 cgroup v1 逻辑错误导致容器逃逸 CVE-2022-0492.md index f23c7ed..0a7ba42 100644 --- a/云安全漏洞/Linux 内核 cgroup v1 逻辑错误导致容器逃逸 CVE-2022-0492.md +++ b/云安全漏洞/Linux 内核 cgroup v1 逻辑错误导致容器逃逸 CVE-2022-0492.md @@ -91,7 +91,7 @@ root@0c782b51c5ac:/# echo "$t/exp.sh" > $d/release_agent ![](images/Linux%20内核%20cgroup%20v1%20逻辑错误导致容器逃逸%20CVE-2022-0492/image-20250603113252638.png) -- 第五步,e创建一个马上终止的进程,当 `w` 子组的最后一个进程退出时,将激活 `/mnt/release_agent`: +- 第五步,创建一个马上终止的进程,当 `w` 子组的最后一个进程退出时,将激活 `/mnt/release_agent`: ``` root@0c782b51c5ac:/# sh -c "echo 0 >$d/w/cgroup.procs"