Change the setup so that the attacker user doesn't have sudo privileges.

kevinbackhouse · kevinbackhouse · commit 0d7ff9f71d75 · 2018-09-27T15:22:57.000+01:00
diff --git a/strongSwan/CVE-2018-5388/Dockerfile b/strongSwan/CVE-2018-5388/Dockerfile
@@ -9,6 +9,7 @@ RUN apt-get update && \
       tmux screen pkg-config libtool automake sudo libgmp-dev iptables \
       xl2tpd module-init-tools supervisor emacs gettext libcap-dev
 
+# Create a vpn group.
 RUN groupadd vpn
 RUN useradd -g vpn vpn
 
@@ -18,18 +19,12 @@ RUN cd strongswan && git checkout 5.6.2 && ./autogen.sh && \
     ./configure --with-capabilities=libcap --with-user=vpn --with-group=vpn && \
     make && make install
 
-# switch over to the 'attacker' user, since root access is no longer required
-RUN addgroup attacker --gid 1001
-RUN adduser attacker --disabled-password --uid 1001 --gid 1001
+# Create an 'attacker' user. This user will be a member of the vpn
+# group, but does not get superuser privileges.
+RUN adduser attacker
 RUN adduser attacker vpn
 
-# We need to give the "attacker" user sudo permission so that we can
-# start strongswan inside the container. The sudo privileges are not
-# used to run the exploit. For that, the attacker only needs to be a
-# member of the "vpn" group.
-RUN adduser attacker sudo
-RUN echo "attacker:x" | chpasswd  # sudo password is "x"
-
+# Switch to the attacker user and create the exploit code.
 USER attacker
 WORKDIR /home/attacker/
 
@@ -43,3 +38,7 @@ COPY stroke_patch.txt /home/attacker/stroke_patch.txt
 RUN cd strongswan && git checkout 5.6.2 && \
     git apply ../stroke_patch.txt && \
     ./autogen.sh && ./configure && make
+
+# Switch back to the root user so that we can start ipsec when we start
+# the container.
+USER root
diff --git a/strongSwan/CVE-2018-5388/README.md b/strongSwan/CVE-2018-5388/README.md
@@ -22,7 +22,7 @@ First, build the docker image:
 docker build . -t strongswan
 ```
 
-As you can see from the Dockerfile, we have installed strongSwan version 5.6.2. We have also created a user named "attacker". This user is a member of the `vpn` group, so that they can use the [stroke](https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStroke) utility to query the [charon](https://wiki.strongswan.org/projects/strongswan/wiki/Charon) daemon. The attacker user is also a member of the `sudo` group, but this is only to enable us to start `ipsec`. Superuser permissions are not used for the actual attack.
+As you can see from the Dockerfile, we have installed strongSwan version 5.6.2. We have also created a user named "attacker". This user is a member of the `vpn` group, so that they can use the [stroke](https://wiki.strongswan.org/projects/strongswan/wiki/IpsecStroke) utility to query the [charon](https://wiki.strongswan.org/projects/strongswan/wiki/Charon) daemon. The attacker does not get other special privileges though. For example, they do not have superuser privileges.
 
 Now start the container:
 
@@ -33,10 +33,16 @@ docker run --privileged -i -t strongswan
 The `--privileged` flag is needed to start `ipsec` inside the container. Do this now:
 
 ```
-sudo ipsec start  # sudo password is "x"
+ipsec start
 ```
 
-Now run the attack:
+Now switch to the attacker user account:
+
+```
+su - attacker
+```
+
+And run the attack:
 
 ```
 ./strongswan/src/stroke/.libs/stroke statusall
