admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-05 02:37:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

update cgroup vulnerabilities

Browse Source
This commit is contained in:
Threekiii 2025-06-03 15:34:42 +08:00
parent 9a597cd7d2
commit 5d6387153c
2 changed files with 26 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
云安全漏洞/Kubernetes + Ubuntu 18.04 漏洞环境搭建.md
View File

@ -7,12 +7,34 @@
各组件版本如下: 各组件版本如下:
``` ```
Docker version: 18.09.3 Docker version: 18.09.3/19.03.6
minikube version: v1.35.0 minikube version: v1.35.0
Kubectl Client Version: v1.32.3 Kubectl Client Version: v1.32.3
Kubectl Server Version: v1.32.0 Kubectl Server Version: v1.32.0
``` ```
本环境可用于复现以下漏洞:
| 类别 | 漏洞名称 | CDK(v1.5.5) Exploit | 文档链接 |
| ---- | --------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| 容器逃逸 | 挂载 docker.sock 导致容器逃逸 | [docker-sock-check](https://github.com/Xyntax/CDK/wiki/Exploit:-docker-sock-check)<br>[docker-sock-pwn](https://github.com/Xyntax/CDK/wiki/Exploit:-docker-sock-pwn) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%20docker.sock%20%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) |
| 容器逃逸 | 挂载 log 目录导致容器逃逸 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%20log%20%E7%9B%AE%E5%BD%95%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) |
| 容器逃逸 | 挂载宿主机 procfs 系统导致容器逃逸 | [mount-procfs](https://github.com/Xyntax/CDK/wiki/Exploit:-mount-procfs) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%E5%AE%BF%E4%B8%BB%E6%9C%BA%20procfs%20%E7%B3%BB%E7%BB%9F%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) |
| 容器逃逸 | Containerd 漏洞导致容器逃逸 CVE-2020-15257 | [shim-pwn](https://github.com/Xyntax/CDK/wiki/Exploit:-shim-pwn) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Containerd%20%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%20CVE-2020-15257.md) |
| 容器逃逸 | Docker copy 漏洞导致容器逃逸 CVE-2019-14271 | [docker-api-pwn](https://github.com/Xyntax/CDK/wiki/Exploit:-docker-api-pwn) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Docker%20copy%20%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%20CVE-2019-14271.md) |
| 容器逃逸 | 挂载重写 cgroup devices.allow 导致容器逃逸 | [rewrite-cgroup-devices](https://github.com/cdk-team/CDK/wiki/Exploit:-rewrite-cgroup-devices) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/%E6%8C%82%E8%BD%BD%E9%87%8D%E5%86%99%20cgroup%20devices.allow%20%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) |
| 容器逃逸 | Linux 内核 cgroups v1 逻辑错误导致容器逃逸 CVE-2022-0492 | [mount-cgroup](https://github.com/Xyntax/CDK/wiki/Exploit:-mount-cgroup) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Linux%20%E5%86%85%E6%A0%B8%20cgroup%20v1%20%E9%80%BB%E8%BE%91%E9%94%99%E8%AF%AF%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8%20CVE-2022-0492.md) |
| 容器逃逸 | Kubernetes privileged 特权容器导致容器逃逸 | [mount-disk](https://github.com/Xyntax/CDK/wiki/Exploit:-mount-disk) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20privileged%20%E7%89%B9%E6%9D%83%E5%AE%B9%E5%99%A8%E5%AF%BC%E8%87%B4%E5%AE%B9%E5%99%A8%E9%80%83%E9%80%B8.md) |
| 持久化 | Kubernetes 部署 Shadow API Server | [k8s-shadow-apiserver](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E9%83%A8%E7%BD%B2%20Shadow%20API%20Server.md) |
| 持久化 | Kubernetes 部署后门 CronJob | [k8s-cronjob](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-cronjob) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E9%83%A8%E7%BD%B2%E5%90%8E%E9%97%A8%20CronJob.md) |
| 持久化 | Kubernetes 部署后门 Daemonset | [k8s-backdoor-daemonset](https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset) | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E9%83%A8%E7%BD%B2%E5%90%8E%E9%97%A8%20Daemonset.md) |
| 权限提升 | Kubernetes 利用 nodes proxy 子资源进行权限提升 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20%E5%88%A9%E7%94%A8%20nodes%20proxy%20%E5%AD%90%E8%B5%84%E6%BA%90%E8%BF%9B%E8%A1%8C%E6%9D%83%E9%99%90%E6%8F%90%E5%8D%87.md) |
| 命令执行 | Docker build 漏洞导致命令执行 CVE-2019-13139 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Docker%20build%20%E6%BC%8F%E6%B4%9E%E5%AF%BC%E8%87%B4%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%20CVE-2019-13139.md) |
| 命令执行 | Docker daemon api 未授权访问漏洞 RCE | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Docker%20daemon%20api%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E%20RCE.md) |
| 命令执行 | Kubernetes Ingress-nginx admission 远程代码执行漏洞 CVE-2025-1974 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20Ingress-nginx%20admission%20%E8%BF%9C%E7%A8%8B%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%20CVE-2025-1974.md) |
| 命令执行 | Kubernetes API Server 未授权命令执行 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20API%20Server%20%E6%9C%AA%E6%8E%88%E6%9D%83%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C.md) |
| 信息窃取 | Kubernetes etcd 未授权访问 | - | [link](https://github.com/Threekiii/Awesome-POC/blob/master/%E4%BA%91%E5%AE%89%E5%85%A8%E6%BC%8F%E6%B4%9E/Kubernetes%20etcd%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE.md) |
## 环境搭建 ## 环境搭建
### Docker 18.09.3 ### Docker 18.09.3
@ -64,6 +86,8 @@ echo "✅ 安装完成,当前版本:"
docker --version docker --version
``` ```
> 其他版本 Docker 修改 `18.09.3` 版本号即可。
### Kubectl v1.32.3 ### Kubectl v1.32.3
安装最新版本: 安装最新版本:

2
云安全漏洞/Linux 内核 cgroup v1 逻辑错误导致容器逃逸 CVE-2022-0492.md
View File

@ -91,7 +91,7 @@ root@0c782b51c5ac:/# echo "$t/exp.sh" > $d/release_agent
![](images/Linux%20内核%20cgroup%20v1%20逻辑错误导致容器逃逸%20CVE-2022-0492/image-20250603113252638.png) ![](images/Linux%20内核%20cgroup%20v1%20逻辑错误导致容器逃逸%20CVE-2022-0492/image-20250603113252638.png)
- 第五步,e创建一个马上终止的进程,当 `w` 子组的最后一个进程退出时,将激活 `/mnt/release_agent` - 第五步,创建一个马上终止的进程,当 `w` 子组的最后一个进程退出时,将激活 `/mnt/release_agent`
``` ```
root@0c782b51c5ac:/# sh -c "echo 0 >$d/w/cgroup.procs" root@0c782b51c5ac:/# sh -c "echo 0 >$d/w/cgroup.procs"