Closed alexdu59 closed 4 years ago
Hi @alexdu59 thanks for your submission! Indeed those are 2 big oversights on my part. Thank you for pointing them out so that users are aware of them.
However this week the team will be launching the new version of Katharà that won't be using the wrapper at all.
As we're still dealing with docker, I'd be very happy if you could also take a look in the new version once it's publicly available. In the meantime keep pointing out security issues with the current version, since the new version is still somehow based on this one.
I'm leaving the issue open until the new version is out, so that it's visible.
Hi @alexdu59 , we released now the new version of Kathará.
Both the vulnerabilities you figured out are now fixed. The wrapper is no longer existing and the python code will use the Docker API to launch containers.
The need of setuid is now replaced with setgid with the "docker" group. This is needed because this software needs to run on some shared computers where the user do not have sudo access to the system (University lab computers). If we let the student user to run sudo
commands they could tamper with the system.
I'd be very happy if you could also take a look in the new version code to eventually find out new vulnerabilities.
@lorenzo93 Could you link me to the commits where the vulns have been solved?
From version 2.0.3 (check the tags on master branch or the releases).
It's basically a complete rewrite from there, so linking a specific commit would be pointless.
Hi,
Here are 2 local escalation vulnerabilities because
netkit_dw
is insecure and installed as setuid root.Vuln 1: weak string comparisons in
netkit_dw.c
Exploitation:
Cause of this vulnerability : https://github.com/KatharaFramework/Kathara/blob/master/bin/wrapper/netkit_dw.c#L92 length does not check user supplied length (it can be greater, but still match the comparison).
Vuln 2: no environnement check in netkit_dw.c
The following command sequence allow you to get a root shell:
This is because: https://github.com/KatharaFramework/Kathara/blob/master/bin/wrapper/netkit_dw.c#L207, does not check environment (PATH variable). Any docker script in PATH will be executed as root.
Workaround
This vulnerable app should not be installed as setuid root (it's an open backdoor). User can use sudo or become root when in need for this.
Thank for the great tool
Alex - 15DgZkqe2Ee2MjAssJjVrN9WCf4LwZGquE