Scan RCE not working as intended

Question

Scan RCE not working as intended

frankvoelker opened this issue 6 months ago · comments

frankvoelker commented 6 months ago

Summary

kubeletctl scan rce -s SERVER is not showing "+" on RCE column even though I can RCE

Steps to Reproduce

Setup microk8s cluster for testing
allow anonymous Kubelet API access
try to access https://SERVER:10250/pods to check for pods-json
if you are allowed to see pods-json try to scan kubeletctl scan rce -s SERVER
also check if you can execute commands

Expected Results

if I am allowed to kubeletctl exec "ls /" -c CONTAINER -p POD -s SERVER I should see a + in the "scan RCE" list

Actual Results

I have only "-" signs on kubeletctl scan rce -s SERVER but I can execute code

┌───────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                    Node with pods vulnerable to RCE                                   │
├───┬───────────┬─────────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│   │ NODE IP   │ PODS                                    │ NAMESPACE   │ CONTAINERS              │ RCE │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│   │           │                                         │             │                         │ RUN │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.0.2.15 │ website-k8s-675dd9956d-qj58f            │ default     │ website-k8s             │ -   │
└───┴───────────┴─────────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘

shows "-" on RCE column, but if I try to execute code I can do:

┌──(root@kali)-[/home/kali]
└─# kubeletctl exec "ls /" -p website-k8s-675dd9956d-qj58f -c website-k8s -s 10.0.2.15
bin   dev  home  lib64  mnt  proc  run   srv  tmp  var
boot  etc  lib   media  opt  root  sbin  sys  usr

I also saw in source code that there is POST request to check manually and this is my output:

                               
┌──(root@kali)-[/home/kali]
└─# curl -k -XPOST https://10.0.2.15:10250/run/default/website-k8s-675dd9956d-qj58f/website-k8s -d "cmd=ls /"
rpc error: code = Unknown desc = failed to exec in container: failed to start exec "2766ae987637b8f679d7f68cbe02868c5dad0af36a08e8ed961825a274ac444d": OCI runtime exec failed: exec failed: unable to start container process: exec: "": executable file not found in $PATH: unknown

Reproducible

Always
Sometimes
Non-Reproducible

Version/Tag number

Version 1.11

Environment setup

Running in self-hosted Linux (Debian) VirtualBox and installed MicroK8S
Which cloud provider? Which container orchestrator (including version)?

Eviatar Gerzi · Answer 1 · Mon May 06 2024 17:00:03 GMT+0800 (China Standard Time)

Thank you, we will check it.

Eviatar Gerzi · Answer 2 · Mon Jul 15 2024 21:14:13 GMT+0800 (China Standard Time)

We found the problem and fixed it. It will be updated in the next release.
For now, you can clone the current repository and build it.