Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically.
During security researches, we might find that the deployment of vulnerable environment often takes much time, while the time spent on testing PoC or ExP is comparatively short. In the field of cloud native security, thanks to the complexity of cloud native systems, this issue is more terrible.
There are already some excellent security projects like Vulhub, VulApps in the open-source community, which pack vulnerable scenes into container images, so that researchers could utilize them and deploy scenes quickly.
However, these projects mainly focus on vulnerabilities in applications. What if we need to study the vulnerabilities in the infrastructures like Docker, Kubernetes and even Linux kernel?
Hence, we develop Metarget and hope to solve the deployment issue above to some extent. Furthermore, we also expect that Metarget could help to construct multilayer vulnerable cloud native scenes automatically.
In this project, we come up with concepts like installing vulnerabilities and installing vulnerable scenes. Why not install vulnerabilities just like installing softwares? We can do that, because our goals are security research and offensive security.
To be exact, we expect that:
metarget cnv install cve-2019-5736will install Docker with CVE-2019-5736 onto the server.metarget cnv install cve-2018-1002105will install Kubernetes with CVE-2018-1002105 onto the server.metarget cnv install kata-escape-2020will install Kata-containers with CVE-2020-2023/2025/2026 onto the server.metarget cnv install cve-2016-5195will install a kernel with DirtyCoW into the server.
It's cool, right? No more steps. No RTFM. Execute one command and enjoy your coffee.
Furthermore, we expect that:
- with Metarget's help, ethical hackers are able to deploy simple or complicated cloud native targets swiftly and learn by hacking cloud native environments.
metarget appv install dvwawill install a DVWA target onto our vulnerable infrastructure.metarget appv install thinkphp-5-0-23-rce --externalwill install a ThinkPHP RCE vulnerability withNodePortservice onto our vulnerable infrastructure.
You can just run 5 commands below after installing a new Ubuntu and obtain a multi-layer vulnerable scene:
./metarget cnv install cve-2016-5195 # container escape with dirtyCoW
./metarget cnv install cve-2019-5736 # container escape with docker
./metarget cnv install cve-2018-1002105 # kubernetes single-node cluster with cve-2018-1002105
./metarget cnv install privileged-container # deploy a privileged container
./metarget appv install dvwa --external # deploy dvwa targetRCE, container escape, lateral movement, persistence, they are yours now.
More awesome functions are coming! Stay tuned :)
Note:
This project aims to provide vulnerable scenes for security research. The security of scenes generated is not guaranteed. It is NOT recommended to deploy components or scenes with Metarget on the Internet.
- Ubuntu 16.04 or 18.04 (recommended)
- for some cases (e.g. new kernel vulnerabilities) specific Ubuntu distributions are needed
- you can read the note for specific vulnerabilities (prompted by an asterisk (*)) for details
- Python >= 3.6 (Python 2.x is unsupported!)
- pip3
Clone the repository and install requirements:
git clone https://github.com/brant-ruan/metarget.git
cd metarget/
pip3 install -r requirements.txtBegin to use Metarget and construct vulnerable scenes. For example:
./metarget cnv install cve-2019-5736Currently unsupported.
Metarget needs to be run as root.
It is recommended to add --verbose option when debugging.
usage: metarget [-h] [-v] subcommand ...
automatic constructions of vulnerable infrastructures
positional arguments:
subcommand description
gadget cloud native gadgets (docker/k8s/...) management
cnv cloud native vulnerabilities management
appv application vulnerabilities management
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
Run ./metarget gadget list to see cloud native components supported currently.
usage: metarget gadget [-h] subcommand ...
positional arguments:
subcommand description
list list supported gadgets
install install gadgets
remove uninstall gadgets
optional arguments:
-h, --help show this help message and exit
Run:
./metarget gadget install docker --version 18.03.1If the command above completes successfully, 18.03.1 Docker will be installed.
Run:
./metarget gadget install k8s --version 1.16.5If the command above completes successfully, 1.16.5 Kubernetes single-node cluster will be installed.
Note:
Usually, lots of options need to be configured in Kubernetes. As a security research project, Metarget provides some options for installation of Kubernetes:
-v VERSION, --version VERSION
gadget version
--cni-plugin CNI_PLUGIN
cni plugin, flannel by default
--pod-network-cidr POD_NETWORK_CIDR
pod network cidr, default cidr for each plugin by
default
--taint-master taint master node or not
Metarget supports deployment of multi-node cluster. If you want to add more nodes into the cluster, you can copy tools/install_k8s_worker.sh script and run it on each worker nodes after the successful installation of single-node cluster.
Run:
./metarget gadget install kata --version 1.10.0If the command above completes successfully, 1.10.0 Kata-containers will be installed.
Note:
You can also specify the type of kata runtime (qemu/clh/fc/...) with --kata-runtime-type option, which is qemu by default.
Run:
./metarget gadget install kernel --version 5.7.5If the command above completes successfully, 5.7.5 kernel will be installed.
Note:
Currently, Metarget installs kernels in 2 ways:
- apt
- if apt package is not available, download *.deb remotely from Ubuntu and try to install
After successful installation of kernel, reboot of system is needed. Metarget will prompt to reboot automatically.
usage: metarget cnv [-h] subcommand ...
positional arguments:
subcommand description
list list supported cloud native vulnerabilities
install install cloud native vulnerabilities
remove uninstall cloud native vulnerabilities
optional arguments:
-h, --help show this help message and exit
Run ./metarget cnv list to see vulnerable scenes related to cloud native components supported currently.
Run:
./metarget cnv install cve-2019-5736If the command above completes successfully, Docker with CVE-2019-5736 will be installed。
Run:
./metarget cnv install cve-2018-1002105If the command above completes successfully, Kubernetes with CVE-2018-1002105 will be installed。
Run:
./metarget cnv install kata-escape-2020If the command above completes successfully, Kata-containers with CVE-2020-2023/2025/2026 will be installed。
Run:
./metarget cnv install cve-2016-5195If the command above completes successfully, kernel with CVE-2016-5195 will be installed。
usage: metarget appv [-h] subcommand ...
positional arguments:
subcommand description
list list supported application vulnerabilities
install install application vulnerabilities
remove uninstall application vulnerabilities
optional arguments:
-h, --help show this help message and exit
Run ./metarget appv list to see vulnerable scenes related to cloud native applications supported currently.
Note:
Before deploying application vulnerable scenes, you should install Docker and Kubernetes firstly. You can use Metarget to install Docker and Kubernetes.
Run:
./metarget appv install dvwaIf the command above completes successfully, DVWA will be deployed as Deployment and Service resources in current Kubernetes.
Note:
- You can specify
--externaloption, then the service will be exposed asNodePort, so that you can visit it by IP of the host node (By default, the type of service isClusterIP). - You can specify
--host-netoption, then the appv will share the host network namespace. - You can specify
--host-pidoption, then the appv will share the host pid namespace.
Depending on the user's network environment, ubuntu version, and Docker version, one-click installation of the vulnerability environment through automated scripts still occasionally fails, so we provide the vulnerability environment image for the first time.
Run the following command to build the target vulnerability environment image:
sudo docker build -t vuln-docker-24.0.7 -f vuln-docker-24.0.7 .Run the following command to run the target vulnerability environment image:
docker run vuln-XXXDeveloping, currently not supported.
If there is an asterisk (*) following the name of one vulnerable scene, you need to read the note related to it below the whole table for further details.
| Name | Class | Type | CVSS 3.x | Writeup | ATT&CK map |
|---|---|---|---|---|---|
| cve-2018-15664 | docker | container_escape | 7.5 | privilege escalation/escape to host Persistence/escape to host Lateral movement/escape to host Defense Bypass/Build an image on the host |
|
| cve-2019-13139 | docker | command_execution | 8.4 | link | |
| cve-2019-14271 | docker | container_escape | 9.8 | link | |
| cve-2020-15257 | docker/containerd | container_escape | 5.2 | link | |
| cve-2019-5736 | docker/runc | container_escape | 8.6 | ||
| cve-2019-16884 | docker/runc | container_escape | 7.5 | ||
| cve-2021-30465* | docker/runc | container_escape | 7.6 | link | |
| cve-2024-21626 | docker/runc | container_escape | 8.6 | ||
| cve-2017-1002101 | k8s | container_escape | 9.6 | link | |
| cve-2018-1002105 | k8s | privilege_escalation | 9.8 | ||
| cve-2018-1002100 | k8s/kubectl | container_escape | 5.5 | ||
| cve-2019-1002101 | k8s/kubectl | container_escape | 5.5 | ||
| cve-2019-11246 | k8s/kubectl | container_escape | 6.5 | ||
| cve-2019-11249 | k8s/kubectl | container_escape | 6.5 | ||
| cve-2019-11251 | k8s/kubectl | container_escape | 5.7 | ||
| cve-2019-11253 | k8s | denial_of_service | 7.5 | ||
| cve-2019-9512 | k8s | denial_of_service | 7.5 | ||
| cve-2019-9514 | k8s | denial_of_service | 7.5 | ||
| cve-2019-9946 | k8s | traffic_interception | 7.5 | ||
| cve-2020-8554 | k8s | man_in_the_middle | 5.0 | ||
| cve-2020-10749 | k8s/kubernetes-cni | man_in_the_middle | 6.0 | ||
| cve-2020-8555 | k8s | server_side_request_forgery | 6.3 | ||
| cve-2020-8557 | k8s | denial_of_service | 5.5 | ||
| cve-2020-8558 | k8s | exposure_of_service | 8.8 | ||
| cve-2020-8559 | k8s | privilege_escalation | 6.8 | ||
| cve-2021-25741 | k8s | container_escape | 8.1 | ||
| cve-2016-5195 | kernel | container_escape | 7.8 | ||
| cve-2016-8655 | kernel | privilege_escalation | 7.8 | ||
| cve-2017-6074 | kernel | privilege_escalation | 7.8 | ||
| cve-2017-7308 | kernel | container_escape | 7.8 | link | |
| cve-2017-16995 | kernel | privilege_escalation | 7.8 | ||
| cve-2017-1000112 | kernel | container_escape | 7.0 | link | |
| cve-2018-18955 | kernel | privilege_escalation | 7.0 | ||
| cve-2020-14386 | kernel | container_escape | 7.8 | ||
| cve-2021-3493 | kernel | privilege_escalation | 7.8 | link | |
| cve-2021-4204 | kernel | privilege_escalation | - | ||
| cve-2021-22555 | kernel | container_escape | 7.8 | ||
| cve-2022-0185 | kernel | container_escape | 8.4 | ||
| cve-2022-0492 | kernel | container_escape | 7.8 | link | |
| cve-2022-0847 | kernel | container_escape | 7.8 | link | |
| cve-2022-0995* | kernel | privilege_escalation | 7.1 | ||
| cve-2022-25636* | kernel | privilege_escalation | 7.8 | ||
| cve-2022-23222 | kernel | privilege_escalation | 7.8 | ||
| cve-2022-27666* | kernel | privilege_escalation | 7.8 | ||
| cve-2023-3269* | kernel | privilege_escalation | 7.8 | ||
| kata-escape-2020 | kata-containers | container_escape | 6.3/8.8/8.8 | ||
| cve-2020-27151 | kata-containers | container_escape | 8.8 | ||
| cap_dac_read_search-container | config | container_escape | - | link | |
| cap_sys_admin-container | config | container_escape | - | ||
| cap_sys_ptrace-container | config | container_escape | - | ||
| cap_sys_module-container | config | container_escape | - | link | |
| privileged-container | config | container_escape | - | link | |
| k8s_backdoor_daemonset | config | persistence | - | link | |
| k8s_backdoor_cronjob | config | persistence | - | link | |
| k8s_shadow_apiserver | config | persistence | - | link | |
| k8s_node_proxy | config | privilege_escalation | - | link | |
| mount-docker-sock | mount | container_escape | - | link | |
| mount-host-etc | mount | container_escape | - | ||
| mount-host-procfs | mount | container_escape | - | link | |
| mount-var-log | mount | container_escape | - | link |
Note:
- Currently writeups are in Chinese.
- It is recommended to add
--verboseoption when debugging. - You might find that some kernel vulnerabilities are marked as
privilege_escalation, while otherscontainer_escape. The essential difference is the payload (get a shell with high privilege or escape first).- Thanks to default security mechanisms (e.g. Seccomp, Capabilities) in containers, some kernel vulnerabilities may be hard or almost not to exploit.
- Hence, vulnerabilities are marked as
container_escapeif we could reproduce the whole process with Metarget, others temporarily marked asprivilege_escalation.
- For cve-2021-30465, after
cnv install cve-2021-30465(which installs Docker),- you'd better install a K8s manually, for exploitation (e.g.
cnv install cve-2018-1002105orgadget install k8s --version 1.16.5with Metarget).
- you'd better install a K8s manually, for exploitation (e.g.
- For kernel vulnerabilities below, Ubuntu 21.10 is needed to run Metarget (tested):
- cve-2022-0995
- cve-2022-25636
- cve-2022-27666
These scenes are mainly derived from other open-source projects:
We express sincere gratitude to projects above!
Metarget converts scenes in projects above to Deployments and Services resources in Kubernetes (thanks to kompose).
To list vulnerable scenes related to cloud native applications supported by Metarget, just run:
./metarget appv listNote:
- For the deployment of Confluence's vulnerability CVE-2019-3396, you may refer to Vulhub, while the address of PostgreSQL should be
cve-2019-3396-db, notdbin Vulhub.
- deployments of basic cloud native components (docker, k8s)
- integrations of vulnerable scenes related to cloud native components
- integrations of RCE scenes in containers
- cloud native vulnerable images
- automatic construction of multi-node cloud native target cluster
- integration of complex cloud native application vulnerability scenarios
- integrations of other cloud native vulnerable scenes (long term)
One of Metarget's goals is to facilitate more rapid construction of vulnerable environments when vulnerabilities occur. Also, it could be used to construct all the integrated vulnerable scenes whenever you want.
To keep Metarget up-to-date, the vulnerable scenes lists (both cnv and appv) will be maintained.
YAML is used in Metarget to describe & integrate vulnerable scenes. Currently, scenes in two layers, cnv (in vulns_cn/) and appv (in vulns_app/), are supported.
Maintenance from the community is appreciated and welcome. Hope that we can gather and share our knowledge and researches in the context of Metarget, and promote the development of cloud native security.
Currently, you can contribute to Metarget in two ways:
- Submit YAML files of new cloud native vulnerabilities (cnv).
- Submit YAML files of new cloud native application vulnerabilities (appv).
Please see CONTRIBUTING.md for details.
9 Collaboration (Contact us at lvzhizheng@nsfocus.com)
We eagerly welcome collaboration with universities, research institutions, and other academic entities! Metarget is dedicated to being an ideal experimental platform for cutting-edge research in the field of cloud-native security. We believe that cloud-native security will be a forefront topic in the future of network security, and Metarget provides an ideal research environment for this.
Through our robust and flexible framework, you can delve into the security challenges of cloud-native environments, discover and explore innovative solutions, and contribute your expertise and findings to the entire industry's development.
Metarget offers the following distinctive support to collaborators:
-
Diverse experimental scenarios: Utilize Metarget to effortlessly build various vulnerable cloud-native target environments, covering a spectrum of experiment scenarios from simple to complex, such as cloud-native e-commerce platform and cloud-native online course system.
-
cloud native vulnerable images: Without any scripting assistance, the vulnerability environment is readily available
-
Support for multiple versions of Kernel, Kubernetes, and other cloud-native components: Metarget consistently updates to support the latest versions of components, ensuring that you can use the latest technologies in your experiments.
-
Customization of Ubuntu versions: We will tailor Ubuntu versions based on your experimental requirements, providing you with a more flexible experimental environment configuration.
-
Automatic generation of multi-node cloud-native clusters: Metarget offers the functionality to automatically create multi-node cloud-native target clusters, enhancing the realism and depth of your research.
-
...
Joining Metarget provides you with comprehensive technical support and abundant collaboration opportunities, allowing you to explore the forefront of cloud-native security and contribute your unique insights to the future development of network security. We look forward to your participation in collectively shaping a new chapter in cybersecurity research!
It is not a Kubernetes, but a vulnerable infrastructure with three gears which could not work well (vulnerable) :)
Metarget is licensed under Apache License 2.0. See LICENSE for the full license text.
- Topic: Metarget: Auto-construction of Vulnerable Cloud Native Infrastructure
- Video: https://www.youtube.com/watch?v=43UvCHjn8wA
- PPT: OID-Asia-2021-Metarget.pdf
- Topic: Metarget:构建云原生基础设施靶场
- PPT: OID-China-2021-Metarget.pdf
- Topic: 构建云原生基础设施靶场
- Paper: Security Challenges in the Container Cloud
- PDF: TPS21.pdf
- Topic: 攻方视角:从开源靶场看云原生安全
- PPT: CSDN云原生安全技术峰会-2022-攻方视角:从开源靶场看云原生安全.pdf
- Paper: PACED: Provenance-based Automated Container Escape Detection
- PDF: IC2E-2022.PACED.pdf
- Topic: Metarget: 云原生安全研究与自动化
- URL: https://cis.freebuf.com