oss-sec mailing list archives
CVE Request: docker2aci: Path traversals present in image converting
From: 张开翔 <zhangkaixiang () 360 cn>
Date: Wed, 28 Sep 2016 08:27:15 +0000
DESCRIPTION This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I submitted an path traversal vulnerability to docker2aci <https://github.com/appc/docker2aci/issues/201> recently. The issue exists in image converting, there must be a possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for the output file path. Could you please assign a CVE number for it? Thanks. Source info tmpLayerPath := path.Join(tmpDir, layerIDs[i]) tmpLayerPath += ".tar" layerFile, err := extractEmbeddedLayer(lb.file, layerIDs[i], tmpLayerPath)// without essential check for layerpath, may breakout tmpDir. Proof-of-concept Build or downloading a malicious image as an archive file, containing some layer files with relative names ,like “../../../etc/ filename”, as well modifying the content of some corresponding json file related to it. then running docker2aci to convert the docker’s image to aci. Overview of the content of malicious image: ../../../etc ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625 ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/json ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/VERSION ../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/layer.tar and logs: tmpDir: /tmp/docker2aci-878549369 tmpLayerPath: /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar Extracting ../../../etc then check the results: ls /etc/*.tar /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar Of course, the tar file content could be modified by yourself. Best regards&
Current thread:
- CVE Request: docker2aci: Path traversals present in image converting 张开翔 (Sep 28)
- Re: CVE Request: docker2aci: Path traversals present in image converting Alex Crawford (Sep 28)
- Re: CVE Request: docker2aci: Path traversals present in image converting cve-assign (Sep 28)