{"id":18771875,"url":"https://github.com/metarget/cloud-native-security-book","last_synced_at":"2025-04-04T11:16:08.390Z","repository":{"id":37397214,"uuid":"410286004","full_name":"Metarget/cloud-native-security-book","owner":"Metarget","description":"《云原生安全：攻防实践与体系构建》资料仓库","archived":false,"fork":false,"pushed_at":"2023-02-19T14:16:00.000Z","size":12629,"stargazers_count":728,"open_issues_count":2,"forks_count":127,"subscribers_count":9,"default_branch":"main","last_synced_at":"2024-12-06T13:04:15.374Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Metarget.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2021-09-25T13:56:05.000Z","updated_at":"2024-12-04T09:19:42.000Z","dependencies_parsed_at":"2024-01-07T00:08:13.736Z","dependency_job_id":null,"html_url":"https://github.com/Metarget/cloud-native-security-book","commit_stats":null,"previous_names":["brant-ruan/cloud-native-security-book"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Metarget%2Fcloud-native-security-book","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Metarget%2Fcloud-native-security-book/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Metarget%2Fcloud-native-security-book/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Metarget%2Fcloud-native-security-book/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Metarget","download_url":"https://codeload.github.com/Metarget/cloud-native-security-book/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247166169,"owners_count":20894654,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-07T19:27:01.563Z","updated_at":"2025-04-04T11:16:08.361Z","avatar_url":"https://github.com/Metarget.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# 《云原生安全：攻防实践与体系构建》资料仓库\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://raw.githubusercontent.com/brant-ruan/cloud-native-security-book/main/images/book.jpg\" width = \"250\" height = \"317\" alt=\"\" /\u003e\n\u003c/p\u003e\n\n本仓库提供了《云原生安全：攻防实践与体系构建》一书的补充材料和随书源码，供感兴趣的读者深入阅读、实践。\n\n**本仓库所有内容仅供教学、研究使用，严禁用于非法用途，违者后果自负！**\n\n相关链接：[豆瓣](https://book.douban.com/subject/35640762/) | [京东](https://item.jd.com/13495676.html) | [当当](http://product.dangdang.com/29318802.html)\n\n## 补充阅读资料\n\n- [100_云计算简介.pdf](appendix/100_云计算简介.pdf)\n- [101_代码安全.pdf](appendix/101_代码安全.pdf)\n- [200_容器技术.pdf](appendix/200_容器技术.pdf)\n- [201_容器编排.pdf](appendix/201_容器编排.pdf)\n- [202_微服务.pdf](appendix/202_微服务.pdf)\n- [203_服务网格.pdf](appendix/203_服务网格.pdf)\n- [204_DevOps.pdf](appendix/204_DevOps.pdf)\n- [CVE-2017-1002101：突破隔离访问宿主机文件系统.pdf](appendix/CVE-2017-1002101：突破隔离访问宿主机文件系统.pdf)\n- [CVE-2018-1002103：远程代码执行与虚拟机逃逸.pdf](appendix/CVE-2018-1002103：远程代码执行与虚拟机逃逸.pdf)\n- [CVE-2020-8595：Istio认证绕过.pdf](appendix/CVE-2020-8595：Istio认证绕过.pdf)\n- [靶机实验：综合场景下的渗透实战.pdf](appendix/靶机实验：综合场景下的渗透实战.pdf)\n\n## 随书源码\n\n|代码目录|描述|定位|\n|:-|:-|:-|\n|[0302-开发侧攻击/02-CVE-2018-15664/symlink_race/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0302-开发侧攻击/02-CVE-2018-15664/symlink_race)| CVE-2018-15664漏洞利用代码|3.2.2小节|\n|[0302-开发侧攻击/03-CVE-2019-14271/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0302-开发侧攻击/03-CVE-2019-14271)|CVE-2019-14271漏洞利用代码|3.2.3小节|\n|[0303-供应链攻击/01-CVE-2019-5021-alpine/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0303-供应链攻击/01-CVE-2019-5021-alpine)|基于存在CVE-2019-5021漏洞的Alpine镜像构建漏洞镜像示例|3.3.1小节|\n|[0303-供应链攻击/02-CVE-2016-5195-malicious-image/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0303-供应链攻击/02-CVE-2016-5195-malicious-image)|CVE-2016-5195漏洞利用镜像构建示例|3.3.2小节|\n|[0304-运行时攻击/01-容器逃逸/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0304-运行时攻击/01-容器逃逸)|多个用于容器逃逸的代码片段|3.4.1小节|\n|[0304-运行时攻击/02-安全容器逃逸/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0304-运行时攻击/02-安全容器逃逸)|安全容器逃逸的漏洞利用代码|3.4.2小节|\n|[0304-运行时攻击/03-资源耗尽型攻击/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0304-运行时攻击/03-资源耗尽型攻击)|资源耗尽型攻击示例代码|3.4.3小节|\n|[0402-Kubernetes组件不安全配置/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0402-Kubernetes组件不安全配置/)|K8s不安全配置的利用命令|4.2节|\n|[0403-CVE-2018-1002105/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0403-CVE-2018-1002105)|CVE-2018-1002105漏洞利用代码|4.3节|\n|[0404-K8s拒绝服务攻击/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0404-K8s拒绝服务攻击/)|CVE-2019-11253和CVE-2019-9512的漏洞利用代码|4.4节|\n|[0405-云原生网络攻击/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0405-云原生网络攻击/)|云原生中间人攻击网络环境模拟及攻击代码示例|4.5节|\n\n## 分享与交流\n\n欢迎关注“绿盟科技研究通讯”公众号，我们将持续、高质量地输出信息安全前沿领域研究成果：\n\n![微信搜索“绿盟科技研究通讯”](images/yjtx.png)\n\n## 注意事项\n\n其中部分源码来自网络上其他地方，为方便读者实践，一并归档。这些源码及“摘录出处”为：\n\n1. [0302-开发侧攻击/02-CVE-2018-15664/symlink_race](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0302-开发侧攻击/02-CVE-2018-15664/symlink_race)：https://seclists.org/oss-sec/2019/q2/131\n2. [0302-开发侧攻击/03-CVE-2019-14271/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0302-开发侧攻击)：https://unit42.paloaltonetworks.com/docker-patched-the-most-severe-copy-vulnerability-to-date-with-cve-2019-14271/\n3. [0304-运行时攻击/01-容器逃逸/CVE-2016-5195/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0304-运行时攻击/01-容器逃逸/CVE-2016-5195)：https://github.com/scumjr/dirtycow-vdso\n4. [0304-运行时攻击/01-容器逃逸/CVE-2019-5736/](https://github.com/brant-ruan/cloud-native-security-book/tree/main/code/0304-运行时攻击/01-容器逃逸/CVE-2019-5736)：https://github.com/Frichetten/CVE-2019-5736-PoC\n\n引用的项目及代码的许可证（License）以原项目为准。\n\n部分经过笔者修改的源码不再在此列出，书中对相关引用均给出了出处，感兴趣的读者可以参考。\n\n## 勘误及补充说明\n\n### 第1版第3次印刷\n\n#### P56 - 3.4.1 容器逃逸\n\n详见[issue 9](https://github.com/Metarget/cloud-native-security-book/issues/9)。\n\n未来印刷将对原文作以下两处补充和修正：\n\n1. 增加对`#!/proc/self/exe`的必要性的解释（non-dumpable -\u003e dumpable），这里或可提到CVE-2016-9962漏洞。\n2. 在攻击步骤中明确给出上下文，消除“一次runC执行中实现覆盖和shellcode执行”的歧义。\n\n感谢读者[@XDTG](https://github.com/XDTG)指出。我们将在后续的印刷中进行补充和修正。\n\n#### P44 - 3.3.1 镜像漏洞利用\n\n详见[issue 8](https://github.com/Metarget/cloud-native-security-book/issues/8)。\n\n第44页下方用于构建镜像的命令不完整，缺少对构建目录的指定。正确的命令如下（注意最后增加了一个`.`）：\n\n```bash\ndocker build --network=host -t alpine:cve-2019-5021 .\n```\n\n感谢读者[@WAY29](https://github.com/WAY29)指出。我们将在后续的印刷中进行修正。\n\n#### P42 - 3.2.3 CVE-2019-14271：加载不受信任的动态链接库\n\n详见[issue 7](https://github.com/Metarget/cloud-native-security-book/issues/7)。\n\n感谢读者[@WAY29](https://github.com/WAY29)指出。为了成功编译Glibc，需要事先进行configure操作，才能进行make。我们将在后续的印刷中进行修正。\n\n#### P42 - 3.2.3 CVE-2019-14271：加载不受信任的动态链接库\n\n详见[issue 6](https://github.com/Metarget/cloud-native-security-book/issues/6)。\n\n感谢读者[@XDTG](https://github.com/XDTG)指出。书上的步骤在效果上没有问题，但[@XDTG](https://github.com/XDTG)提出的方案更自然优雅。经验证后，我们考虑在后续的印刷中更新方案。\n\n### 第1版第1次印刷\n\n#### P37 - 3.2.2 CVE-2018-15664：符号链接替换漏洞（这里为补充说明，原文并无错误）\n\n正文第八行开始的段落描述较难理解：\n\n\u003e symlink_swap.c的任务是在容器内创建指向根目录“/”的符号链接，并不断地交换符号链接（由命令行参数传入，如“/totally_safe_path”）与一个正常目录（例如“/totally_safe_path-stashed”）的名字。这样一来，在宿主机上执行 docker cp时，如果首先检查到“/totally_safe_path”是一个正常目录，但在后面执行复制操作时“/totally_safe_path”却变成了一个符号链接，那么Docker将在宿主机上解析这个符号链接。\n\n事实上，在容器内部，一旦开始通过renameat2进行名称交换，`/totally_safe_path`和`/totally_safe_path-stashed`实际上对于我们来说只是两个字符串了，不再与符号链接或正常目录绑定，只有停止交换的那一刻，才会重新确定哪个字符串指向哪个（符号链接或目录）。\n\n因此，书中“这样一来，在宿主机上执行docker cp时，如果首先...”这里，这时，容器内已经开始进行名称交换了。用户（或攻击者）想要去docker cp的是容器内名为`/totally_safe_path`的文件或目录（“十分安全的路径”的意思），这是预期（或者说是这个场景的设定）；docker cp在执行过程中，在检查阶段，`/totally_safe_path`路径字符串还指向一个正常目录，但是到了复制操作时，`/totally_safe_path`却已经被交换指向了一个符号链接。\n\n感谢读者@泡泡球麻麻君指出。\n\n#### P85 - 4.2.1 Kubernetes API Server未授权访问（第1版第3次印刷已修复）\n\n正文倒数第四行部分存在歧义：\n\n\u003e 那么攻击者只要网络可达，都能够通过此端口操控集群。\n\n事实上，如果仅仅设置`--insecure-port=8080`，那么服务也只是监听在`localhost`，远程攻击者通常情况下是无法访问的，即使从IP角度来讲是“网络可达的”。如果想要远程操控，还需要配置`--insecure-bind-address=0.0.0.0`才行。\n\n这里的“网络可达”实际上想说明两种情况：\n\n1. 加`--insecure-bind-address`的情况下直接被外部访问，即上面这种；\n2. 能够以某种方式访问到localhost，这个场景又包括：\n    1. 本地用户利用8080端口的服务来提升权限；\n    2. 基于类似SSRF、DNS rebinding的方式来实现远程访问localhost端口。\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmetarget%2Fcloud-native-security-book","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmetarget%2Fcloud-native-security-book","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmetarget%2Fcloud-native-security-book/lists"}