来源

关联漏洞

描述

In this project, we found a recent attack through the malicious container and implemented a security mechanism to stop it.

介绍

# CVE-2019-5736-attack-and-security-mechanism
In this project, we found a recent attack through the malicious container and implemented a security mechanism to stop it.  

## **Introduction**  
Cyber-attacks have become a critical challenge for both companies and small businesses, largely due to vulnerabilities in various components of their IT resources. Understanding these threats is the first step in safeguarding an organization's data and assets. Common forms of attacks include malware, ransomware, and phishing. Recent studies highlight the increasing prevalence of attacks targeting container infrastructures. Adversaries often exploit misconfigured containers by locating them through public search engines and scanning tools.  
Thus, in this project, we have implemented an attack using a CVE-2019-5736 Docker vulnerability and identified a security mechanism to prevent an attack.  
## **Attack Implementation and Execution**  
We have used the following setup to safely implement an attack and security mechanism. On the base machine with Windows OS, the VMware workstation has been deployed with the Ubuntu 18.04 OS virtual machine. In addition, the Docker 18.03.1-ce (Runc 1.0.0-rc5) container application has been installed on the Ubuntu 18.04.  

The "usr/docker/runc" is a sensitive executable internal file that any third user should not be able to modify. However, Docker version 18.03 has the vulnerability due which it will not log the modification of the "runc" docker file; as a result, the attacker can use this vulnerability to modify the "usr/docker/runc" file and get root access to our Linux system.  

1) We create a backup of the "usr/docker/runc" file and its hash to confirm the modification of this file after the attack execution.
2) We add malicious scripts to the container setup, which will modify the "usr/docker/runc" file after a typical user runs the malformed container.
3) We built the container
4) The Attacker sets a listener on its device (in this case it is our Windows machine) for a specific port number mentioned in malicious scripts (e.g. port number 1234). Whenever the user runs that container, the attacker will be connected to the user's machine with root access.
5) We run the malformed container

As a result:  
- The attacker is connected to the user's machine with the root access privileges
- The hash value of the "usr/docker/runc" file after the attack is not equal to the backup file hash, meaning that the attack was successful

## **Security Mechanism**  
The root cause of this vulnerability is the capability of the malicious docker image to alter the “/usr/docker/runc” file and include the hostile code in the executable file.

To stop this attack from happening we use "Chattr" command to make the “/usr/docker/runc” file immutable. As a result, the exploit fails to run and there is no response on the attacker's side.  

The security mechanism we have applied indeed stops the attack, meaning that we could prevent the malicious code from exploiting the vulnerability of that specific docker file we have found. For the security mechanism, we could not use 'chmod' command because in this specific vulnerability we used, root access is granted to the attack. Thus, the "chmod" command could not prevent an attack.   

## **Summary**  
In this project we chose to implement an attack that exploited the CVE-2019-5736 vulnerability with the HIGH CVSS score, which gives and attacker remote access to the user's machine with root privileges. We successfully executed the attack and found the security mechanism to prevent it.  

Challenges:  
- Installation of older Docker version
- Modifying the available exploit code to run an attack

文件快照

 [4.0K]  /data/pocs/8f3a2bf155eeb2968f33ebc3d5931d2ce5c38333
├── [3.6K]  README.md
└── [1.5M]  Report - vulnerability exploit and security mechanism.pdf

0 directories, 2 files

备注