Kathara icon indicating copy to clipboard operation
Kathara copied to clipboard

Published 20 hours ago verified publisher icon KatharaFramework

Major security issue with Kathará install on Debian for some lessons use cases should be acknowledged

Open b3 opened this issue 2 years ago • 1 comments

Katharà depends mainly on docker in its basic installation.

On Debian (as on other distributions I guess) using docker is often done by using a docker group which has full root privileges (as stated in https://docs.docker.com/engine/install/linux-postinstall/ for instance). Debian itself acknowledge against using this approach, for instance in its wiki on docker. With such use gaining root privileges on the host is trivial.

I guess Kathará is used a lot in classes for network lessons.

When using Kathará in such classes and where students shouldn't have root privileges (because they share access to hosts with others for instance) maybe it should be acknowledge somewhere in Kathará's wiki or Kathará main man page that this use should be avoided.

One of the solution which could be presented is to run Kathará (and thus docker) inside a full virtual machine (some KVM/Qemu or VirtualBox ones for instance).

b3 avatar Sep 09 '22 23:09 b3

Hi @b3,

this is not how Kathará is designed.

We release Kathará in two different forms:

  1. The PIP package. In that case the user needs to be in the docker group or root group in order to run Kathará.
  2. The compiled packages. This is the option to install Kathará in a shared environment where the user does NOT have access to the administration of the machine.

In this second case, Kathará is compiled as a binary package, to avoid tampering with the source code and inserted in a folder where only the root account has writing privileges (again, to avoid tampering with the code). https://github.com/KatharaFramework/Kathara/blob/6a563b824daba676ccd444828b8b36a57b1e19b6/scripts/Linux-Deb/debian/rules#L24 To execute Kathará, the main binary have the SGID (Set Group ID) bit set. https://github.com/KatharaFramework/Kathara/blob/6a563b824daba676ccd444828b8b36a57b1e19b6/scripts/Linux-Deb/debian/kathara.postinst#L9 In this way, when an unprivileged user launches the kathara command, this is executed as it is part of the docker group, allowing it to run docker containers. To keep this constraint and avoid privilege escalation with the kathara binary, we request the user to be root if the container needs to be executed in privileged mode, and we disallow the mount of directories outside the user home (so, for example, it is not possible to mount the /etc directory and change the host settings).

At the moment, we don't know any way to circumvent this constraints and use the Kathará binary to do privilege escalation and gain access to the host machine. We also use Kathará in a shared university campus, where the students does not have root access, so if you find any way to circumvent the constraints, please let us know :)

lorenzo93 avatar Sep 10 '22 11:09 lorenzo93

Hi all,

I'm closing this due to inactivity.

@b3 feel free to re-open the issue, if needed.

Tommaso.

tcaiazzi avatar Oct 03 '22 10:10 tcaiazzi