Date: Wed, 28 Sep 2016 08:27:15 +0000 From: 张开翔 <zhangkaixiang@....cn> To: "oss-security@...ts.openwall.com" <oss-security@...ts.openwall.com> CC: cve-assign <cve-assign@...re.org> Subject: CVE Request: docker2aci: Path traversals present in image converting DESCRIPTION This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I submitted an path traversal vulnerability to docker2aci <https://github.com/appc/docker2aci/issues/201> recently. The issue exists in image converting, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for the output file path. Could you please assign a CVE number for it? Thanks. Source info tmpLayerPath := path.Join(tmpDir, layerIDs[i]) tmpLayerPath += ".tar" layerFile, err := extractEmbeddedLayer(lb.file, layerIDs[i], tmpLayerPath)// without essential check for layerpath, may breakout tmpDir. Proof-of-concept Build or downloading a malicious image as an archive file, containing some layer files with relative names ,like “../../../etc/ filename”, as well modifying the content of some corresponding json file related to it. then running docker2aci to convert the docker’s image to aci. Overview of the content of malicious image: ../../../etc ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625 ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/json ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/VERSION ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/layer.tar and logs: tmpDir: /tmp/docker2aci-878549369 tmpLayerPath: /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar Extracting ../../../etc then check the results: ls /etc/*.tar /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar Of course, the tar file content could be modified by yourself. Best regards&
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ