Closed Demuxx closed 6 years ago
Thanks for the advisory @Demuxx (and by implication @iammyr). Any hints on how this was found - by code reading or automated scanning perhaps? Do you have any concrete examples of using this gap? Can it be deployed from the docker command line for instance, or would somebody need to gain access to the grpc endpoint?
I'm wondering as that might:
docker exec
, depending on the attack mode./cc @devimc I think as the implementer of ps
?
Can it be deployed from the docker command line for instance ..
I don't think so, since we don't have support for docker top
sorry I can't reproduce it, even using exec.Command
directly
cmd := exec.Command("ps", ";ls")
cmd := exec.Command("ps", "||ls")
cmd := exec.Command("ps", "^ls")
cmd := exec.Command("ps", "&ls")
cmd := exec.Command("ps", ";", "ls")
cmd := exec.Command("ps", "||", "ls")
cmd := exec.Command("ps", "&&ls")
cmd := exec.Command("ps", "$(ls)")
cmd := exec.Command("ps", "`ls`")
.....
.....
Hi @devimc - do you mean "can't reproduce"? :)
@jodh-intel hehe yes, updating comment, thanks
This is probably me jumping the gun on vulnerability findings again. The tool used was gosec. I'm guessing this is being filtered by Go exec.Command?
Yep, false positive. Very sorry for the false alarm!
No problem - it's great that you're analysing the code! :)
... which makes me wonder...
We run gometalinter
as part of our CI: see
It would be great if you and/or @iammyr would be willing to whip up a PR to add support for running gosec
(which is supported by gometalinter
) :smile:
The grpc call to ps doesn't filter input, allowing injection of arbitrary bash commands. There should be a check of the req.Args to filter out special characters, probably whitelisting [,a-zA-Z]. Credit to @iammyr for finding this.
https://github.com/kata-containers/agent/blob/eec68398287d9491fe648a8e54fb942cf6b6d934/grpc.go#L832