|
1 | | -# Docker |
| 1 | +# Remote code execution in librelp (CVE-2018-1000140) |
2 | 2 |
|
3 | | -To build and run the Dockerfile: |
| 3 | +This directory contains a proof-of-concept exploit for a remote code execution vulnerability in [librelp](https://www.rsyslog.com/librelp/). The vulnerability was fixed in librelp version [1.2.15](https://www.rsyslog.com/librelp-1-2-15/), released on 2018-03-22. |
4 | 4 |
|
5 | | -``` |
6 | | -docker build . -t kev-rsyslog |
7 | | -docker network create -d bridge --subnet 172.25.0.0/16 kev-rsyslog-network |
8 | | -``` |
9 | | - |
10 | | -In terminal 1, start a container for the server: |
11 | | - |
12 | | -``` |
13 | | -docker run --network=kev-rsyslog-network --ip=172.25.0.10 -h rsyslog-server -i -t kev-rsyslog |
14 | | -``` |
15 | | - |
16 | | -If you want to use `gdb` to see the server crash, then start the server like this: |
17 | | - |
18 | | -``` |
19 | | -docker run --network=kev-rsyslog-network --ip=172.25.0.10 -h rsyslog-server --cap-add=SYS_PTRACE --security-opt seccomp=unconfined -i -t kev-rsyslog |
20 | | -``` |
21 | | - |
22 | | -In terminal 2, start a container for the benevolent client: |
23 | | - |
24 | | -``` |
25 | | -docker run --network=kev-rsyslog-network --ip=172.25.0.20 -h rsyslog-client -i -t kev-rsyslog |
26 | | -``` |
27 | | - |
28 | | -In the docker container for the benevolent client (terminal 1): |
29 | | - |
30 | | -``` |
31 | | -sudo rsyslogd -f benevolent/rsyslog-server.conf |
32 | | -``` |
33 | | - |
34 | | -Note: the docker image is configured so that the `sudo` password is "x". |
35 | | - |
36 | | -In the docker container for the server (terminal 2), start the benevolent client: |
37 | | - |
38 | | -``` |
39 | | -sudo rsyslogd -f benevolent/rsyslog-client.conf |
40 | | -``` |
41 | | - |
42 | | -To see that the client has connected to the server: |
43 | | - |
44 | | -``` |
45 | | -sudo netstat -ntp |
46 | | -``` |
47 | | - |
48 | | -This will show something like this: |
49 | | - |
50 | | -``` |
51 | | -Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name |
52 | | -tcp 90 0 172.25.0.20:38866 172.25.0.10:2514 ESTABLISHED 28/rsyslogd |
53 | | -``` |
54 | | - |
55 | | -In terminal 3, start a container for the malicious client: |
56 | | - |
57 | | -``` |
58 | | -docker run --network=kev-rsyslog-network --ip=172.25.0.30 -h rsyslog-client -i -t kev-rsyslog |
59 | | -``` |
60 | | - |
61 | | -In the docker container for the malicious client (terminal 3): |
62 | | - |
63 | | -``` |
64 | | -sudo rsyslogd -f malicious/rsyslog-client.conf |
65 | | -``` |
66 | | - |
67 | | - |
68 | | -Instructions for using TLS with rsyslog: |
69 | | - |
70 | | -https://www.rsyslog.com/using-tls-with-relp/ |
| 5 | +For more information about the vulnerability and for instructions on how to run the proof-of-concept exploit, please see our blog post which is published on both [Rainer Gerhards's blog](https://rainer.gerhards.net/how-we-found-and-fixed-cve-in-librelp) and on the [LGTM blog](https://lgtm.com/blog/rsyslog_snprintf_CVE-2018-1000140). |
0 commit comments