RCE Vulnerability
During the workshop, we draw attention to the top-level Docker image vulnerability and explain how the base image can be upgraded. We reviewed a vulnerability and included a screenshot for the Tomcat version. In this section, we will be exploiting the version of Tomcat in the repository.
The README.md contents are fairly comprehensive about what to do. The unifying story here is how an external user can exploit a vulnerability of your application based on its use of third-party software. In this case, it is the application server Tomcat.
The exploit sets up a webform where you can run commands. Some of these commands include whoami and dpkg -l but may also include other commands that echo the contents of /etc/passwd or touch. When we run the workshop, we'll showcase a number of interesting commands including:
  • cat etc/passwd
  • touch <filename>
  • touch /etc/testfile
  • curl
These commands are representative of what attackers may use to explore what is available on your vulnerable system. They don't use ssh to access your system, but instead find a way to run shell commands to exploit your system. We recommend you try various commands to become acquainted with what is available on this vulnerable system.
When you run through the commands to patch the system and re-check, you'll see the vulnerability is no longer there. While we're running commands at the CLI, it is worth noting the contents of the file tomcat-rce.sh are:
#!/usr/bin/env bash
HOSTIP="$(ifconfig | grep -Eo 'inet (addr:)?([0-9]*\.){3}[0-9]*' | grep -Eo '([0-9]*\.){3}[0-9]*' | grep -v '127.0.0.1' | head -1):8080"
LB_HOST=$(kubectl get svc goof -o json | jq -r .status.loadBalancer.ingress[0].hostname)
if [[ "$LB_HOST" != "" ]]; then
HOSTIP=$LB_HOST
fi
echo Detected $HOSTIP as target host
docker build -t tomcat-rce tomcat-rce
alias check="docker run --rm -it tomcat-rce -u http://${HOSTIP}"
alias pwn="docker run --rm -it tomcat-rce -u http://${HOSTIP} -p pwn"
alias bounce="kubectl delete pod --selector app=goof"
alias browse="open http://${HOSTIP}"
You may be wondering what the different URL commands are and how they work. Here we recommend you review the Dockerfile to see we're building a container that is deliberately vulnerable and it is accepting parameters to perform actions on our behalf. This is because we've uploaded a file to grant us access into the container. This is because CVE-2017-12617 is an arbitrary code execution vulnerability, and we're sending in arbitrary code to run!
The solution to this vulnerability is to use a newer version of tomcat. When we patch the Dockerfile to use a newer version, the vulnerability goes away.
Export as PDF
Copy link
Edit on GitHub