Metarget is a framework providing automatic constructions of vulnerable cloud native infrastructures.
1 Introduction
Metarget = meta-
+ target
, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically.
1.1 Why Metarget?
During security researches, we might find that the deployment of vulnerable environment often takes much time, while the time spent on testing PoC or ExP is comparatively short. In the field of cloud native security, thanks to the complexity of cloud native systems, this issue is more terrible.
There are already some excellent security projects like Vulhub, VulApps in the open-source community, which pack vulnerable scenes into container images, so that researchers could utilize them and deploy scenes quickly.
However, these projects mainly focus on vulnerabilities in applications. What if we need to study the vulnerabilities in the infrastructures like Docker, Kubernetes and even Linux kernel?
Hence, we develop Metarget and hope to solve the deployment issue above to some extent. Furthermore, we also expect that Metarget could help to construct multilayer vulnerable cloud native scenes automatically.
1.2 Install Vulnerability!
In this project, we come up with concepts like installing vulnerabilities and installing vulnerable scenes. Why not install vulnerabilities just like installing softwares? We can do that, because our goals are security research and offensive security.
To be exact, we expect that:
metarget cnv install cve-2019-5736
will install Docker with CVE-2019-5736 onto the server.metarget cnv install cve-2018-1002105
will install Kubernetes with CVE-2018-1002105 onto the server.metarget cnv install kata-escape-2020
will install Kata-containers with CVE-2020-2023/2025/2026 onto the server.metarget cnv install cve-2016-5195
will install a kernel with DirtyCoW into the server.It's cool, right? No more steps. No RTFM. Execute one command and enjoy your coffee.
Furthermore, we expect that:
metarget appv install dvwa
will install a DVWA target onto our vulnerable infrastructure.metarget appv install thinkphp-5-0-23-rce --external
will install a ThinkPHP RCE vulnerability with NodePort
service onto our vulnerable infrastructure.You can just run 5 commands below after installing a new Ubuntu and obtain a multi-layer vulnerable scene:
./metarget cnv install cve-2016-5195 # container escape with dirtyCoW ./metarget cnv install cve-2019-5736 # container escape with docker ./metarget cnv install cve-2018-1002105 # kubernetes single-node cluster with cve-2018-1002105 ./metarget cnv install privileged-container # deploy a privileged container ./metarget appv install dvwa --external # deploy dvwa target
RCE, container escape, lateral movement, persistence, they are yours now.
More awesome functions are coming! Stay tuned :)
Note:
This project aims to provide vulnerable scenes for security research. The security of scenes generated is not guaranteed. It is NOT recommended to deploy components or scenes with Metarget on the Internet.
2 Installation 2.1 Requirements
Clone the repository and install requirements:
git clone https://github.com/brant-ruan/metarget.git cd metarget/ pip3 install -r requirements.txt
Begin to use Metarget and construct vulnerable scenes. For example:
./metarget cnv install cve-2019-57362.3 From PyPI
Currently unsupported.
3 Usage
Metarget needs to be run as root.
It is recommended to add --verbose
option when debugging.
3.1 Basic Usage
usage: metarget [-h] [-v] subcommand ...
automatic constructions of vulnerable infrastructures
positional arguments:
subcommand description
gadget cloud native gadgets (docker/k8s/...) management
cnv cloud native vulnerabilities management
appv application vulnerabilities management
optional arguments:
-h, --help show this help message and exit
-v, --version show program's version number and exit
Run ./metarget gadget list
to see cloud native components supported currently.
3.2 Manage Cloud Native Components
usage: metarget gadget [-h] subcommand ...
positional arguments:
subcommand description
list list supported gadgets
install install gadgets
remove uninstall gadgets
optional arguments:
-h, --help show this help message and exit
3.2.1 Case: Install Docker with Specified Version
Run:
./metarget gadget install docker --version 18.03.1
If the command above completes successfully, 18.03.1 Docker will be installed.
3.2.2 Case: Install Kubernetes with Specified Version
Run:
./metarget gadget install k8s --version 1.16.5
If the command above completes successfully, 1.16.5 Kubernetes single-node cluster will be installed.
Note:
Usually, lots of options need to be configured in Kubernetes. As a security research project, Metarget provides some options for installation of Kubernetes:
-v VERSION, --version VERSION
gadget version
--cni-plugin CNI_PLUGIN
cni plugin, flannel by default
--pod-network-cidr POD_NETWORK_CIDR
pod network cidr, default cidr for each plugin by
default
--taint-master taint master node or not
Metarget supports deployment of multi-node cluster. If you want to add more nodes into the cluster, you can copy tools/install_k8s_worker.sh
script and run it on each worker nodes after the successful installation of single-node cluster.
3.2.3 Case: Install Kata-containers with Specified Version
Run:
./metarget gadget install kata --version 1.10.0
If the command above completes successfully, 1.10.0 Kata-containers will be installed.
Note:
You can also specify the type of kata runtime (qemu/clh/fc/...) with --kata-runtime-type
option, which is qemu
by default.
3.2.4 Case: Install Linux Kernel with Specified Version
Run:
./metarget gadget install kernel --version 5.7.5
If the command above completes successfully, 5.7.5 kernel will be installed.
Note:
Currently, Metarget installs kernels in 2 ways:
After successful installation of kernel, reboot of system is needed. Metarget will prompt to reboot automatically.
3.3 Manage Vulnerable Scenes Related to Cloud Native Components
usage: metarget cnv [-h] subcommand ...
positional arguments:
subcommand description
list list supported cloud native vulnerabilities
install install cloud native vulnerabilities
remove uninstall cloud native vulnerabilities
optional arguments:
-h, --help show this help message and exit
Run ./metarget cnv list
to see vulnerable scenes related to cloud native components supported currently.
3.3.1 Case: CVE-2019-5736
Run:
./metarget cnv install cve-2019-5736
If the command above completes successfully, Docker with CVE-2019-5736 will be installed。
3.3.2 Case: CVE-2018-1002105
Run:
./metarget cnv install cve-2018-1002105
If the command above completes successfully, Kubernetes with CVE-2018-1002105 will be installed。
3.3.3 Case: Kata-containers Escape
Run:
./metarget cnv install kata-escape-2020
If the command above completes successfully, Kata-containers with CVE-2020-2023/2025/2026 will be installed。
3.3.4 Case: CVE-2016-5195
Run:
./metarget cnv install cve-2016-5195
If the command above completes successfully, kernel with CVE-2016-5195 will be installed。
3.4 Manage Vulnerable Scenes Related to Cloud Native Applications
usage: metarget appv [-h] subcommand ...
positional arguments:
subcommand description
list list supported application vulnerabilities
install install application vulnerabilities
remove uninstall application vulnerabilities
optional arguments:
-h, --help show this help message and exit
Run ./metarget appv list
to see vulnerable scenes related to cloud native applications supported currently.
Note:
Before deploying application vulnerable scenes, you should install Docker and Kubernetes firstly. You can use Metarget to install Docker and Kubernetes.
3.4.1 Case: DVWA
Run:
./metarget appv install dvwa
If the command above completes successfully, DVWA will be deployed as Deployment and Service resources in current Kubernetes.
Note:
--external
option, then the service will be exposed as NodePort
, so that you can visit it by IP of the host node (By default, the type of service is ClusterIP
).--host-net
option, then the appv will share the host network namespace.--host-pid
option, then the appv will share the host pid namespace.3.5 Manage Vulnerable Cloud Native Target Cluster
Developing, currently not supported.
4 Scene List 4.1 Vulnerable Scenes Related to Cloud Native Components
If there is an asterisk (*) following the name of one vulnerable scene, you need to read the note related to it below the whole table for further details.
Name Class Type CVSS 3.x Writeup*
cve-2018-15664 docker container_escape 7.5
cve-2019-13139 docker command_execution 8.4 link
cve-2019-14271 docker container_escape 9.8 link
cve-2020-15257 docker/containerd container_escape 5.2 link
cve-2019-5736 docker/runc container_escape 8.6
cve-2019-16884 docker/runc container_escape 7.5
cve-2021-30465* docker/runc container_escape 7.6 link
cve-2017-1002101 k8s container_escape 9.6 link
cve-2018-1002105 k8s privilege_escalation 9.8
cve-2018-1002100 k8s/kubectl container_escape 5.5
cve-2019-1002101 k8s/kubectl container_escape 5.5
cve-2019-11246 k8s/kubectl container_escape 6.5
cve-2019-11249 k8s/kubectl container_escape 6.5
cve-2019-11251 k8s/kubectl container_escape 5.7
cve-2019-11253 k8s denial_of_service 7.5
cve-2019-9512 k8s denial_of_service 7.5
cve-2019-9514 k8s denial_of_service 7.5
cve-2019-9946 k8s traffic_interception 7.5
cve-2020-8554 k8s man_in_the_middle 5.0
cve-2020-10749 k8s/kubernetes-cni man_in_the_middle 6.0
cve-2020-8555 k8s server_side_request_forgery 6.3
cve-2020-8557 k8s denial_of_service 5.5
cve-2020-8558 k8s exposure_of_service 8.8
cve-2020-8559 k8s privilege_escalation 6.8
cve-2021-25741 k8s container_escape 8.1
cve-2016-5195 kernel container_escape 7.8
cve-2016-8655 kernel privilege_escalation 7.8
cve-2017-6074 kernel privilege_escalation 7.8
cve-2017-7308 kernel container_escape 7.8 link
cve-2017-16995 kernel privilege_escalation 7.8
cve-2017-1000112 kernel container_escape 7.0 link
cve-2018-18955 kernel privilege_escalation 7.0
cve-2020-14386 kernel container_escape 7.8
cve-2021-3493 kernel privilege_escalation 7.8 link
cve-2021-4204 kernel privilege_escalation -
cve-2021-22555 kernel container_escape 7.8
cve-2022-0185 kernel container_escape 8.4
cve-2022-0492 kernel container_escape 7.8 link
cve-2022-0847 kernel container_escape 7.8 link
cve-2022-0995* kernel privilege_escalation 7.1
cve-2022-25636* kernel privilege_escalation 7.8
cve-2022-23222 kernel privilege_escalation 7.8
cve-2022-27666* kernel privilege_escalation 7.8
kata-escape-2020 kata-containers container_escape
cap_dac_read_search-container config
cap_sys_admin-container config
cap_sys_ptrace-container config
cap_sys_module-container config
privileged-container config
k8s_backdoor_daemonset config
k8s_backdoor_cronjob config
k8s_shadow_apiserver config
k8s_node_proxy config
mount-docker-sock mount
mount-host-etc mount
mount-host-procfs mount
mount-var-log mount
Note:
--verbose
option when debugging.privilege_escalation
, while others container_escape
. The essential difference is the payload (get a shell with high privilege or escape first).
container_escape
if we could reproduce the whole process with Metarget, others temporarily marked as privilege_escalation
.cnv install cve-2021-30465
(which installs Docker),
cnv install cve-2018-1002105
or gadget install k8s --version 1.16.5
with Metarget).These scenes are mainly derived from other open-source projects:
We express sincere gratitude to projects above!
Metarget converts scenes in projects above to Deployments and Services resources in Kubernetes (thanks to kompose).
To list vulnerable scenes related to cloud native applications supported by Metarget, just run:
./metarget appv list
Note:
cve-2019-3396-db
, not db
in Vulhub.5 DEMO
6 Development Plan
7 Maintainers
8 Contribution
One of Metarget's goals is to facilitate more rapid construction of vulnerable environments when vulnerabilities occur. Also, it could be used to construct all the integrated vulnerable scenes whenever you want.
To keep Metarget up-to-date, the vulnerable scenes lists (both cnv
and appv
) will be maintained.
YAML is used in Metarget to describe & integrate vulnerable scenes. Currently, scenes in two layers, cnv
(in vulns_cn/
) and appv
(in vulns_app/
), are supported.
Maintenance from the community is appreciated and welcome. Hope that we can gather and share our knowledge and researches in the context of Metarget, and promote the development of cloud native security.
Currently, you can contribute to Metarget in two ways:
Please see CONTRIBUTING.md for details.
9 About Logo
It is not a Kubernetes, but a vulnerable infrastructure with three gears which could not work well (vulnerable) :)
10 License
Metarget is licensed under Apache License 2.0. See LICENSE for the full license text.
11 Events KCon 2021 Arsenal
OpenInfra Days Asia 2021
OpenInfra Days China 2021
CCF BDTC 2021
Reference in Paper (IEEE TPS-ISA 2021)
CSDN Cloud Native Security Summit 2022
Reference in Paper (IC2E 2022)
CIS 2022
Metarget Joins CNCF Landscape
Twice a month we will interview people behind open source businesses. We will talk about how they are building a business on top of open source projects.
We'll never share your email with anyone else.