Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 28 Sep 2016 08:27:15 +0000
From: 张开翔 <zhangkaixiang@....cn>
To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com>
CC: cve-assign <cve-assign@...re.org>
Subject: CVE Request: docker2aci: Path traversals present in image converting

DESCRIPTION



This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I submitted an path traversal vulnerability to docker2aci <https://github.com/appc/docker2aci/issues/201> recently. The issue exists in image converting, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for the output file path. Could you please assign a CVE number for it? Thanks.



Source info



tmpLayerPath := path.Join(tmpDir, layerIDs[i])

         tmpLayerPath += ".tar"

         layerFile, err := extractEmbeddedLayer(lb.file, layerIDs[i], tmpLayerPath)// without essential check for layerpath, may breakout tmpDir.



Proof-of-concept



Build or downloading a malicious image as an archive file, containing some layer files with relative names ,like “../../../etc/ filename”, as well modifying the content of some corresponding json file related to it. then running docker2aci to convert the docker’s image to aci. Overview of the content of malicious image:

../../../etc

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/json

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/VERSION

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/layer.tar


and logs:
         tmpDir:  /tmp/docker2aci-878549369
tmpLayerPath:  /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar
Extracting ../../../etc

then check the results:  ls /etc/*.tar
/etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar

Of course, the tar file content could be modified by yourself.

Best regards&

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ