支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 457748f32ce62c9b2389cef885f5edd31d0fb7f2

来源
https://github.com/Betep0k/CVE-2021-25741
关联漏洞
标题:Kubernetes 输入验证错误漏洞 (CVE-2021-25741)
Description:Kubernetes是美国Linux基金会的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。 kubernetes 存在安全漏洞,攻击者可利用该漏洞通过创建具有精心编制的子路径卷装载的pod,以访问卷外的文件和目录,包括主机节点的文件系统上的文件和目录
Description
Exploit for CVE-2021-25741 vulnerability
介绍
## About

It's exploit for CVE-2021-25741 vulnerability.
This vulnerability allows to mount Node filesystem inside of new POD with read-write privileges. 

You can read more about the vulnerability here: 

https://security.googleblog.com/2021/12/exploring-container-security-storage.html

I'm not author of this vulnerability and just made an exploit. 

Thanks to [@russtone](https://github.com/russtone) and [@maximusfox](https://github.com/maximusfox) for the help with development of the exploit. 

### Conditions

1. **You have privileges to create new PODs**
2. **Nodes have vulnerable kubelet**

Vulnerable versions of the kubelet: 
- v1.22.0 - v1.22.1
- v1.21.0 - v1.21.4
- v1.20.0 - v1.20.10
- <= v1.19.14

## How to use 

Just run run.sh and wait :) Exploiting will take some time (for me it was 10-20 minutes) because it's based on the race condition. 

```
chmod +x run.sh; ./run.sh
```

![](./.github/assets/screenshot-1.png)

When you get message "Success" you can attach to the POD and find Node filesystem in `/mnt/data` directory.
For attaching you can use next command:

```
kubectl exec -i -t cve202125741 -c mount-container -- /bin/sh
```

![](./.github/assets/screenshot-2.png)

## Technical Details

Exploit has 2 parts:

 - **pod.yaml**
	> YAML file with pod configuration that exploits vulnerability. Because of race conidition it doesn't work every time, so you should do it in a loop.
 - **run.sh**
 	> Scripts that deploys pod.yaml, checks result and re-deploy it if it's required. 

As renameat2 binary with RENAME_EXCHANGE option I used this code: https://gist.github.com/eatnumber1/f97ac7dad7b1f5a9721f

You can compile it by yourself and replace in `pod.yaml` if you want:

```
gcc renameat2.c -o renameat2
base64 renameat2
```

## Troubleshooting 

### I don't have kubectl in a system

Solutions:
 1. Just download it from official website and push to your system
 2. If it's not possible then you need to rewrite run.sh and send HTTP requests directly to Kubernetes API without using of kubectl

 ### I don't have privileges to run /bin/sh on the POD

 Solutions:
 1. You can try to bind /bin/sh to TCP Port and connect to this port. 
 2. You can edit pod.yaml and add required commands. It will be executed in the deploy process.
文件快照

 [4.0K]  /data/pocs/457748f32ce62c9b2389cef885f5edd31d0fb7f2
├── [1.0K]  LICENSE
├── [ 23K]  pod.yaml
├── [2.2K]  README.md
└── [ 364]  run.sh

0 directories, 4 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。