\u6211\u5011\u66fe\u5728\u67d0\u8d77\u653b\u64ca<\/a>\u7576\u4e2d\u767c\u73fe\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\u6703\u641c\u5c0b\u53d7\u5bb3\u7684 Linux \u7cfb\u7d71\u4e0a\u662f\u5426\u6709\u5176\u4ed6\u73fe\u6709\u7684\u6316\u7926\u7a0b\u5f0f\u4e26\u5c07\u5b83\u5011\u6e05\u9664\uff0c\u85c9\u6b64\u7368\u5360\u6240\u6709\u7cfb\u7d71\u904b\u7b97\u8cc7\u6e90\u3002\u5f9e\u9019\u8d77\u653b\u64ca\u5c31\u80fd\u770b\u51fa\u6b79\u5f92\u5c0d\u65bc Docker \u548c Redis \u7684\u719f\u6089\u5ea6\uff0c\u4ed6\u5011\u5c08\u9580\u8490\u5c0b\u9019\u4e9b\u5e73\u53f0\u6240\u66b4\u9732\u7684\u61c9\u7528\u7a0b\u5f0f\u958b\u767c\u4ecb\u9762 (API)\u3002\u4e0d\u904e\u63a5\u4e0b\u4f86\u6211\u5011\u8981\u63a2\u8a0e\u7684\u662f\u4e00\u500b\u622a\u7136\u4e0d\u540c\u7684\u6848\u4f8b\uff0c\u99ed\u5ba2\u7cbe\u5fc3\u88fd\u4f5c\u4e86\u4e00\u500b\u5c08\u9580\u7528\u4f86\u8df3\u812b\u7279\u6b0a\u5bb9\u5668 (privileged container) \u7684\u60e1\u610f\u7a0b\u5f0f\uff0c\u8df3\u812b\u6210\u529f\u4e4b\u5f8c\u5c31\u80fd\u53d6\u5f97\u4e3b\u6a5f\u96fb\u8166\u7684\u6240\u6709\u7cfb\u7d71\u7ba1\u7406 (root) \u6b0a\u9650\u3002\u6709\u4e00\u9ede\u5f88\u91cd\u8981\u4e14\u9808\u6ce8\u610f\u7684\u662f\uff0cDocker \u5728\u9810\u8a2d\u60c5\u6cc1\u4e0b\u4e26\u4e0d\u6703\u81ea\u52d5\u914d\u7f6e\u7279\u6b0a\u5bb9\u5668\uff0c\u800c\u7d55\u5927\u591a\u6578\u7684 Docker \u4f7f\u7528\u8005\u6240\u7528\u7684\u90fd\u4e0d\u662f\u7279\u6b0a\u5bb9\u5668\uff0c\u9019\u4e5f\u8b49\u660e\u4f7f\u7528\u7279\u6b0a\u5bb9\u5668\u537b\u4e0d\u77e5\u5982\u4f55\u6b63\u78ba\u52a0\u4ee5\u4fdd\u8b77<\/a>\u662f\u4e0d\u667a\u4e4b\u8209\u3002<\/p>\n\n\n\n\n\n\n\n \u540c\u6a23\u7684\uff0c\u8da8\u52e2\u79d1\u6280\u5718\u968a\u6700\u8fd1\u4e5f\u9047\u5230\u4e00\u7a2e\u53ef\u8df3\u812b\u6211\u5011\u67b6\u8a2d\u7684\u8a98\u6355\u74b0\u5883\u5bb9\u5668\u7684\u653b\u64ca\u624b\u6cd5\u3002<\/p>\n\n\n\n \u6839\u64da\u8da8\u52e2\u79d1\u6280\u7684\u5206\u6790\u986f\u793a\uff0c\u99ed\u5ba2\u7684\u4f86\u6e90 IP\u4f4d\u65bc\u82f1\u570b\u548c\u6cd5\u570b\uff0c\u5176\u5728\u4e00\u53f0 Docker \u4e3b\u6a5f\u4e0a\u90e8\u7f72\u4e26\u57f7\u884c\u4e00\u500b\u60e1\u610f\u5bb9\u5668\uff0c\u5229\u7528\u4e00\u500b\u540d\u70ba\u300ccalm.sh\u300d\u7684\u6307\u4ee4\u5217\u8173\u672c\u4f86\u5165\u4fb5\uff0c\u9019\u500b\u8173\u672c\u63a5\u8457\u518d\u690d\u5165\u53e6\u4e00\u500b\u540d\u70ba\u300ccmd\u300d\u7684\u6307\u4ee4\u5217\u8173\u672c\u3002calm.sh \u6703\u547c\u53eb\u4e00\u500b\u507d\u88dd\u6210 nginx \u7684\u61c9\u7528\u7a0b\u5f0f\uff0c\u4f46\u5b83\u5176\u5be6\u662f\u4e00\u500b ELF \u683c\u5f0f<\/a> \u7684\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\u3002\u99ed\u5ba2\u53ea\u662f\u5229\u7528\u300cnginx\u300d\u9019\u500b\u540d\u5b57\u4f86\u8b93\u4eba\u4ee5\u70ba\u5b83\u662f HTTP \u4f3a\u670d\u5668\uff0c\u85c9\u6b64\u907f\u4eba\u8033\u76ee\u3002<\/p>\n\n\n\n \u6211\u5011\u7684\u8a98\u6355\u74b0\u5883\u6700\u8fd1\u88ab\u4e00\u4e9b\u7db2\u8def\u6383\u63cf\u5de5\u5177\u627e\u5230\uff0c\u76ee\u524d\u9019\u985e\u6383\u63cf\u5de5\u5177\u5728\u4e00\u4e9b\u91dd\u5c0d\u5bb9\u5668\u7684\u653b\u64ca\u4e2d\u975e\u5e38\u76db\u884c\u3002\u9019\u500b\u540d\u70ba\u300czgrab\u300d\u7684\u6383\u63cf\u7a0b\u5f0f\u6703\u5c0b\u627e\u66b4\u9732\u5728\u5916\u7684\u5bb9\u5668 API\uff0c\u99ed\u5ba2\u900f\u904e\u4ee5\u4e0b\u9023\u7dda\u5728\u7cfb\u7d71\u4e0a\u90e8\u7f72\u60e1\u610f\u5bb9\u5668\u3002<\/p>\n\n\n\n \u99ed\u5ba2\u4f7f\u7528 API \u7684\u300c create\u300d\u6307\u4ee4\u5f9e\u5bb9\u5668\u767b\u9304\u62c9\u53d6 (pull) \u4e00\u500b\u540d\u70ba\u300cgin\u300d\u7684\u5bb9\u5668\u6620\u50cf\u3002\u90e8\u7f72\u6642\u66f4\u6307\u5b9a\u300cPrivileged\u300d\u9019\u500b\u53c3\u6578\uff0c\u4ee5\u4fbf\u5bb9\u5668\u8df3\u812b\u6280\u5de7\u767c\u63ee\u4f5c\u7528\u3002<\/p>\n\n\n\n \u5c31\u7b97\u6c92\u8df3\u812b\u6210\u529f\uff0c\u99ed\u5ba2\u4e5f\u6703\u8d81\u6a5f\u5728\u53d7\u5bb3\u7684\u4f3a\u670d\u5668\u4e0a\u57f7\u884c\u4e00\u500b\u865b\u64ec\u52a0\u5bc6\u8ca8\u5e63\u6316\u7926\u7a0b\u5f0f\uff0c\u9019\u985e\u7a0b\u5f0f\u4e0d\u9700\u7279\u6b0a\u5bb9\u5668\u5c31\u80fd\u57f7\u884c\u3002<\/p>\n\n\n\n \u9019\u500b\u6316\u7926\u7a0b\u5f0f\u662f\u4e00\u500b ELF \u683c\u5f0f\u7684\u6a94\u6848\uff0c\u6a94\u540d\u300cnginx\u300d\uff0c\u5b83\u540c\u6642\u4e5f\u6703\u6697\u85cf\u5728\u67d0\u500b\u60e1\u610f\u5bb9\u5668\u6620\u50cf\u7576\u4e2d\u3002\u6316\u7926\u7a0b\u5f0f\u6703\u507d\u88dd\u6210\u6b63\u5e38\u7684\u7cfb\u7d71\u670d\u52d9\u5728\u80cc\u5f8c\u5077\u5077\u8017\u5149\u5bb9\u5668\u7684\u6240\u6709\u8cc7\u6e90\u4f86\u6316\u7926\u3002<\/p>\n\n\n\n \u4e0a\u8ff0\u6848\u4f8b\u4e2d\u7684\u300cnginx\u300d\u6a94\u6848\u65e9\u5df2\u662f\u8da8\u52e2\u79d1\u6280\u5a01\u8105\u60c5\u5831\u8207\u7522\u54c1\u90fd\u5df2\u80fd\u638c\u63e1\u7684\u60e1\u610f\u7a0b\u5f0f\uff0c\u6240\u4ee5\u6211\u5011\u7684\u9632\u8b77\u5f15\u64ce\u80fd\u8fc5\u901f\u5075\u6e2c\u3002\u4e00\u822c\u4eba\u5e38\u4ee5\u70ba Linux \u4f5c\u696d\u7cfb\u7d71\u61c9\u8a72\u4e0d\u6703\u51fa\u73fe\u9019\u985e\u5a01\u8105\u548c\u98a8\u96aa\uff0c\u4f46\u7531\u65bc\u8a31\u591a\u4f01\u696d\u6a5f\u69cb\u90fd\u958b\u59cb\u79fb\u8f49\u5230\u96f2\u7aef\uff0c\u4e26\u5728\u4e00\u4e9b\u95dc\u9375\u71df\u904b\u4f5c\u696d\u7576\u4e2d\u63a1\u7528 Linux \u7cfb\u7d71\uff0c\u6240\u4ee5\u99ed\u5ba2\u5df2\u7d93\u5c07\u76ee\u5149\u8f49\u5411 Linux \u7cfb\u7d71\u3002<\/p>\n\n\n\n\u6280\u8853\u5c64\u9762\u5206\u6790<\/h2>\n\n\n\n
2019 \u5e74 7 \u6708\uff0cGoogle Security Team \u7814\u7a76\u54e1 Felix Wilhelm \u5728 Twitter \u4e0a\u767c\u6587<\/a>\u516c\u5e03\u4e86\u4e00\u7a2e\u6982\u5ff5\u9a57\u8b49 (PoC) \u653b\u64ca\u5c55\u793a\u5982\u4f55\u5229\u7528 cgroups release_agent \u529f\u80fd\u5c31\u80fd\u8f15\u800c\u6613\u8209\u8df3\u812b\u4e00\u500b Docker \u7279\u6b0a\u5bb9\u5668\uff0c\u6216 Kubernetes Pod\u3002<\/p>\n\n\n\n![\"Attack](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/b\/threat-actors-now-target-docker-via-container-escape-features\/Fig%201%20Threat%20actors%20now%20target%20Docker%20via%20container%20escape%20features.jpg\")
<\/p>\n\n\n\n![\"The](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/b\/threat-actors-now-target-docker-via-container-escape-features\/Fig%202%20Threat%20actors%20now%20target%20Docker%20via%20container%20escape%20features.png\")
<\/p>\n\n\n\n![\"Code](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/b\/threat-actors-now-target-docker-via-container-escape-features\/Fig%203%20Threat%20actors%20now%20target%20Docker%20via%20container%20escape%20features.png\")
<\/p>\n\n\n\n![\"A](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/b\/threat-actors-now-target-docker-via-container-escape-features\/Fig%204%20Threat%20actors%20now%20target%20Docker%20via%20container%20escape%20features.png\")
![\"The](\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/21\/b\/threat-actors-now-target-docker-via-container-escape-features\/Fig%205%20Threat%20actors%20now%20target%20Docker%20via%20container%20escape%20features.png\")
<\/p>\n\n\n\n\u6f0f\u6d1e\u6383\u63cf\u662f\u5426\u8db3\u4ee5\u78ba\u4fdd\u5bb9\u5668\u6620\u50cf\u5b89\u5168\uff1f<\/h2>\n\n\n\n
\u78ba\u4fdd\u5bb9\u5668\u6620\u50cf\u5b89\u5168\u7121\u865e\u7684\u4e00\u500b\u91cd\u8981\u6b65\u9a5f\u5c31\u662f\u6383\u63cf\u5bb9\u5668\u662f\u5426\u542b\u6709\u6f0f\u6d1e\u3002\u7136\u800c\uff0c\u5bb9\u5668\u5b89\u5168\u537b\u4e0d\u80fd\u55ae\u9760\u6f0f\u6d1e\u6383\u63cf\uff0c\u8cc7\u5b89\u5718\u968a\u9084\u662f\u8981\u5b9a\u671f\u6383\u63cf\u5bb9\u5668\u6620\u50cf\u5167\u662f\u5426\u542b\u6709\u60e1\u610f\u7a0b\u5f0f\u6216\u60e1\u610f\u6a94\u6848\u3002<\/p>\n\n\n\n