Home

Awesome

<p align="center"> <img src="images/metarget-logo.svg" alt="metarget-logo" height="250" /> </p>

中文 | English

1 Introduction

Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically.

1.1 Why Metarget?

During security researches, we might find that the deployment of vulnerable environment often takes much time, while the time spent on testing PoC or ExP is comparatively short. In the field of cloud native security, thanks to the complexity of cloud native systems, this issue is more terrible.

There are already some excellent security projects like Vulhub, VulApps in the open-source community, which pack vulnerable scenes into container images, so that researchers could utilize them and deploy scenes quickly.

However, these projects mainly focus on vulnerabilities in applications. What if we need to study the vulnerabilities in the infrastructures like Docker, Kubernetes and even Linux kernel?

Hence, we develop Metarget and hope to solve the deployment issue above to some extent. Furthermore, we also expect that Metarget could help to construct multilayer vulnerable cloud native scenes automatically.

1.2 Install Vulnerability!

In this project, we come up with concepts like installing vulnerabilities and installing vulnerable scenes. Why not install vulnerabilities just like installing softwares? We can do that, because our goals are security research and offensive security.

To be exact, we expect that:

It's cool, right? No more steps. No RTFM. Execute one command and enjoy your coffee.

Furthermore, we expect that:

You can just run 5 commands below after installing a new Ubuntu and obtain a multi-layer vulnerable scene:

./metarget cnv install cve-2016-5195 # container escape with dirtyCoW
./metarget cnv install cve-2019-5736 # container escape with docker
./metarget cnv install cve-2018-1002105 # kubernetes single-node cluster with cve-2018-1002105
./metarget cnv install privileged-container # deploy a privileged container
./metarget appv install dvwa --external # deploy dvwa target

RCE, container escape, lateral movement, persistence, they are yours now.

More awesome functions are coming! Stay tuned :)

Note:

This project aims to provide vulnerable scenes for security research. The security of scenes generated is not guaranteed. It is NOT recommended to deploy components or scenes with Metarget on the Internet.

2 Installation

2.1 Requirements

2.2 From Source

Clone the repository and install requirements:

git clone https://github.com/brant-ruan/metarget.git
cd metarget/
pip3 install -r requirements.txt

Begin to use Metarget and construct vulnerable scenes. For example:

./metarget cnv install cve-2019-5736

2.3 From PyPI

Currently unsupported.

3 Usage

Metarget needs to be run as root.

It is recommended to add --verbose option when debugging.

3.1 Basic Usage

usage: metarget [-h] [-v] subcommand ...

automatic constructions of vulnerable infrastructures

positional arguments:
  subcommand     description
    gadget       cloud native gadgets (docker/k8s/...) management
    cnv          cloud native vulnerabilities management
    appv         application vulnerabilities management

optional arguments:
  -h, --help     show this help message and exit
  -v, --version  show program's version number and exit

Run ./metarget gadget list to see cloud native components supported currently.

3.2 Manage Cloud Native Components

usage: metarget gadget [-h] subcommand ...

positional arguments:
  subcommand  description
    list      list supported gadgets
    install   install gadgets
    remove    uninstall gadgets

optional arguments:
  -h, --help  show this help message and exit

3.2.1 Case: Install Docker with Specified Version

Run:

./metarget gadget install docker --version 18.03.1

If the command above completes successfully, 18.03.1 Docker will be installed.

3.2.2 Case: Install Kubernetes with Specified Version

Run:

./metarget gadget install k8s --version 1.16.5

If the command above completes successfully, 1.16.5 Kubernetes single-node cluster will be installed.

Note:

Usually, lots of options need to be configured in Kubernetes. As a security research project, Metarget provides some options for installation of Kubernetes:

  -v VERSION, --version VERSION
                        gadget version
  --cni-plugin CNI_PLUGIN
                        cni plugin, flannel by default
  --pod-network-cidr POD_NETWORK_CIDR
                        pod network cidr, default cidr for each plugin by
                        default
  --taint-master        taint master node or not

Metarget supports deployment of multi-node cluster. If you want to add more nodes into the cluster, you can copy tools/install_k8s_worker.sh script and run it on each worker nodes after the successful installation of single-node cluster.

3.2.3 Case: Install Kata-containers with Specified Version

Run:

./metarget gadget install kata --version 1.10.0

If the command above completes successfully, 1.10.0 Kata-containers will be installed.

Note:

You can also specify the type of kata runtime (qemu/clh/fc/...) with --kata-runtime-type option, which is qemu by default.

3.2.4 Case: Install Linux Kernel with Specified Version

Run:

./metarget gadget install kernel --version 5.7.5

If the command above completes successfully, 5.7.5 kernel will be installed.

Note:

Currently, Metarget installs kernels in 2 ways:

  1. apt
  2. if apt package is not available, download *.deb remotely from Ubuntu and try to install

After successful installation of kernel, reboot of system is needed. Metarget will prompt to reboot automatically.

3.3 Manage Vulnerable Scenes Related to Cloud Native Components

usage: metarget cnv [-h] subcommand ...

positional arguments:
  subcommand  description
    list      list supported cloud native vulnerabilities
    install   install cloud native vulnerabilities
    remove    uninstall cloud native vulnerabilities

optional arguments:
  -h, --help  show this help message and exit

Run ./metarget cnv list to see vulnerable scenes related to cloud native components supported currently.

3.3.1 Case: CVE-2019-5736

Run:

./metarget cnv install cve-2019-5736

If the command above completes successfully, Docker with CVE-2019-5736 will be installed。

3.3.2 Case: CVE-2018-1002105

Run:

./metarget cnv install cve-2018-1002105

If the command above completes successfully, Kubernetes with CVE-2018-1002105 will be installed。

3.3.3 Case: Kata-containers Escape

Run:

./metarget cnv install kata-escape-2020

If the command above completes successfully, Kata-containers with CVE-2020-2023/2025/2026 will be installed。

3.3.4 Case: CVE-2016-5195

Run:

./metarget cnv install cve-2016-5195

If the command above completes successfully, kernel with CVE-2016-5195 will be installed。

3.4 Manage Vulnerable Scenes Related to Cloud Native Applications

usage: metarget appv [-h] subcommand ...

positional arguments:
  subcommand  description
    list      list supported application vulnerabilities
    install   install application vulnerabilities
    remove    uninstall application vulnerabilities

optional arguments:
  -h, --help  show this help message and exit

Run ./metarget appv list to see vulnerable scenes related to cloud native applications supported currently.

Note:

Before deploying application vulnerable scenes, you should install Docker and Kubernetes firstly. You can use Metarget to install Docker and Kubernetes.

3.4.1 Case: DVWA

Run:

./metarget appv install dvwa

If the command above completes successfully, DVWA will be deployed as Deployment and Service resources in current Kubernetes.

Note:

3.5 Vulnerability environment image

Depending on the user's network environment, ubuntu version, and Docker version, one-click installation of the vulnerability environment through automated scripts still occasionally fails, so we provide the vulnerability environment image for the first time.

Run the following command to build the target vulnerability environment image:

sudo docker build -t vuln-docker-24.0.7 -f vuln-docker-24.0.7 .

Run the following command to run the target vulnerability environment image:

docker run vuln-XXX

3.6 Manage Vulnerable Cloud Native Target Cluster

Developing, currently not supported.

4 Scene List

4.1 Vulnerable Scenes Related to Cloud Native Components

If there is an asterisk (*) following the name of one vulnerable scene, you need to read the note related to it below the whole table for further details.

NameClassTypeCVSS 3.xWriteupATT&CK map
cve-2018-15664dockercontainer_escape7.5privilege escalation/escape to host <br> Persistence/escape to host <br> Lateral movement/escape to host <br> Defense Bypass/Build an image on the host
cve-2019-13139dockercommand_execution8.4link
cve-2019-14271dockercontainer_escape9.8link
cve-2020-15257docker/containerdcontainer_escape5.2link
cve-2019-5736docker/runccontainer_escape8.6
cve-2019-16884docker/runccontainer_escape7.5
cve-2021-30465*docker/runccontainer_escape7.6link
cve-2024-21626docker/runccontainer_escape8.6
cve-2017-1002101k8scontainer_escape9.6link
cve-2018-1002105k8sprivilege_escalation9.8
cve-2018-1002100k8s/kubectlcontainer_escape5.5
cve-2019-1002101k8s/kubectlcontainer_escape5.5
cve-2019-11246k8s/kubectlcontainer_escape6.5
cve-2019-11249k8s/kubectlcontainer_escape6.5
cve-2019-11251k8s/kubectlcontainer_escape5.7
cve-2019-11253k8sdenial_of_service7.5
cve-2019-9512k8sdenial_of_service7.5
cve-2019-9514k8sdenial_of_service7.5
cve-2019-9946k8straffic_interception7.5
cve-2020-8554k8sman_in_the_middle5.0
cve-2020-10749k8s/kubernetes-cniman_in_the_middle6.0
cve-2020-8555k8sserver_side_request_forgery6.3
cve-2020-8557k8sdenial_of_service5.5
cve-2020-8558k8sexposure_of_service8.8
cve-2020-8559k8sprivilege_escalation6.8
cve-2021-25741k8scontainer_escape8.1
cve-2016-5195kernelcontainer_escape7.8
cve-2016-8655kernelprivilege_escalation7.8
cve-2017-6074kernelprivilege_escalation7.8
cve-2017-7308kernelcontainer_escape7.8link
cve-2017-16995kernelprivilege_escalation7.8
cve-2017-1000112kernelcontainer_escape7.0link
cve-2018-18955kernelprivilege_escalation7.0
cve-2020-14386kernelcontainer_escape7.8
cve-2021-3493kernelprivilege_escalation7.8link
cve-2021-4204kernelprivilege_escalation-
cve-2021-22555kernelcontainer_escape7.8
cve-2022-0185kernelcontainer_escape8.4
cve-2022-0492kernelcontainer_escape7.8link
cve-2022-0847kernelcontainer_escape7.8link
cve-2022-0995*kernelprivilege_escalation7.1
cve-2022-25636*kernelprivilege_escalation7.8
cve-2022-23222kernelprivilege_escalation7.8
cve-2022-27666*kernelprivilege_escalation7.8
cve-2023-3269*kernelprivilege_escalation7.8
kata-escape-2020kata-containerscontainer_escape6.3/8.8/8.8
cve-2020-27151kata-containerscontainer_escape8.8
cap_dac_read_search-containerconfigcontainer_escape-link
cap_sys_admin-containerconfigcontainer_escape-
cap_sys_ptrace-containerconfigcontainer_escape-
cap_sys_module-containerconfigcontainer_escape-link
privileged-containerconfigcontainer_escape-link
k8s_backdoor_daemonsetconfigpersistence-link
k8s_backdoor_cronjobconfigpersistence-link
k8s_shadow_apiserverconfigpersistence-link
k8s_node_proxyconfigprivilege_escalation-link
mount-docker-sockmountcontainer_escape-link
mount-host-etcmountcontainer_escape-
mount-host-procfsmountcontainer_escape-link
mount-var-logmountcontainer_escape-link

Note:

4.2 Vulnerable Scenes Related to Cloud Native Applications

These scenes are mainly derived from other open-source projects:

We express sincere gratitude to projects above!

Metarget converts scenes in projects above to Deployments and Services resources in Kubernetes (thanks to kompose).

To list vulnerable scenes related to cloud native applications supported by Metarget, just run:

./metarget appv list

Note:

5 DEMO

asciicast

6 Development Plan

7 Maintainers

8 Contribution

One of Metarget's goals is to facilitate more rapid construction of vulnerable environments when vulnerabilities occur. Also, it could be used to construct all the integrated vulnerable scenes whenever you want.

To keep Metarget up-to-date, the vulnerable scenes lists (both cnv and appv) will be maintained.

YAML is used in Metarget to describe & integrate vulnerable scenes. Currently, scenes in two layers, cnv (in vulns_cn/) and appv (in vulns_app/), are supported.

Maintenance from the community is appreciated and welcome. Hope that we can gather and share our knowledge and researches in the context of Metarget, and promote the development of cloud native security.

Currently, you can contribute to Metarget in two ways:

  1. Submit YAML files of new cloud native vulnerabilities (cnv).
  2. Submit YAML files of new cloud native application vulnerabilities (appv).

Please see CONTRIBUTING.md for details.

9 Collaboration (Contact us at lvzhizheng@nsfocus.com)

We eagerly welcome collaboration with universities, research institutions, and other academic entities! Metarget is dedicated to being an ideal experimental platform for cutting-edge research in the field of cloud-native security. We believe that cloud-native security will be a forefront topic in the future of network security, and Metarget provides an ideal research environment for this.

Through our robust and flexible framework, you can delve into the security challenges of cloud-native environments, discover and explore innovative solutions, and contribute your expertise and findings to the entire industry's development.

Metarget offers the following distinctive support to collaborators:

  1. Diverse experimental scenarios: Utilize Metarget to effortlessly build various vulnerable cloud-native target environments, covering a spectrum of experiment scenarios from simple to complex, such as cloud-native e-commerce platform and cloud-native online course system.

  2. cloud native vulnerable images: Without any scripting assistance, the vulnerability environment is readily available

  3. Support for multiple versions of Kernel, Kubernetes, and other cloud-native components: Metarget consistently updates to support the latest versions of components, ensuring that you can use the latest technologies in your experiments.

  4. Customization of Ubuntu versions: We will tailor Ubuntu versions based on your experimental requirements, providing you with a more flexible experimental environment configuration.

  5. Automatic generation of multi-node cloud-native clusters: Metarget offers the functionality to automatically create multi-node cloud-native target clusters, enhancing the realism and depth of your research.

  6. ...

Joining Metarget provides you with comprehensive technical support and abundant collaboration opportunities, allowing you to explore the forefront of cloud-native security and contribute your unique insights to the future development of network security. We look forward to your participation in collectively shaping a new chapter in cybersecurity research!

10 About Logo

It is not a Kubernetes, but a vulnerable infrastructure with three gears which could not work well (vulnerable) :)

10 License

Metarget is licensed under Apache License 2.0. See LICENSE for the full license text.

11 Events

KCon 2021 Arsenal

OpenInfra Days Asia 2021

OpenInfra Days China 2021

CCF BDTC 2021

Reference in Paper (IEEE TPS-ISA 2021)

CSDN Cloud Native Security Summit 2022

Reference in Paper (IC2E 2022)

CIS 2022

Metarget Joins CNCF Landscape

KCD Shanghai 2024