forked from Ne0nd0g/merlin
-
Notifications
You must be signed in to change notification settings - Fork 116
Var Log Escape
yanivyakobovich edited this page Jan 17, 2022
·
1 revision
A pod running as root and with a mount point to the /var/log directory within the host can expose the entire contents of its host filesystem to any user who has access to its logs.
info:
Blog info - https://blog.aquasec.com/kubernetes-security-pod-escape-log-mounts
Exploit small poc - https://hackerone.com/reports/1036886
Requirements:
- Running as root inside the container
- Kubernetes token with permission to query the nodes logs
- Pod with a hostPath
/var/logmount to the container
Exploit:
- Symlink in the exploit pod (
ln -s / /var/log/host/root_link)from/var/log/host/root_linkto/ - Send http request to kubelet logs end point which expose the entire root file system of the host
Wish to contribute module?
Exploit Module Guide
- cGroup Breakout
- Mount Breakout
- DockerSock Breakout
- Kubelet Attack
- Var Log Escape
- Kernel Module Breakout
Other Modules