Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scan RCE not working as intended #40

Closed
1 of 3 tasks
frankvoelker opened this issue Apr 26, 2024 · 2 comments
Closed
1 of 3 tasks

Scan RCE not working as intended #40

frankvoelker opened this issue Apr 26, 2024 · 2 comments
Labels
kind/bug

Comments

@frankvoelker
Copy link

frankvoelker commented Apr 26, 2024
edited
Loading

Summary

kubeletctl scan rce -s SERVER is not showing "+" on RCE column even though I can RCE

Steps to Reproduce

  1. Setup microk8s cluster for testing
  2. allow anonymous Kubelet API access
  3. try to access https://SERVER:10250/pods to check for pods-json
  4. if you are allowed to see pods-json try to scan kubeletctl scan rce -s SERVER
  5. also check if you can execute commands

Expected Results

if I am allowed to kubeletctl exec "ls /" -c CONTAINER -p POD -s SERVER I should see a + in the "scan RCE" list

Actual Results

I have only "-" signs on kubeletctl scan rce -s SERVER but I can execute code

┌───────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                    Node with pods vulnerable to RCE                                   │
├───┬───────────┬─────────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│   │ NODE IP   │ PODS                                    │ NAMESPACE   │ CONTAINERS              │ RCE │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│   │           │                                         │             │                         │ RUN │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.0.2.15 │ website-k8s-675dd9956d-qj58f            │ default     │ website-k8s             │ -   │
└───┴───────────┴─────────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘

shows "-" on RCE column, but if I try to execute code I can do:

┌──(root@kali)-[/home/kali]
└─# kubeletctl exec "ls /" -p website-k8s-675dd9956d-qj58f -c website-k8s -s 10.0.2.15
bin   dev  home  lib64  mnt  proc  run   srv  tmp  var
boot  etc  lib   media  opt  root  sbin  sys  usr

I also saw in source code that there is POST request to check manually and this is my output:

                               
┌──(root@kali)-[/home/kali]
└─# curl -k -XPOST https://10.0.2.15:10250/run/default/website-k8s-675dd9956d-qj58f/website-k8s -d "cmd=ls /"
rpc error: code = Unknown desc = failed to exec in container: failed to start exec "2766ae987637b8f679d7f68cbe02868c5dad0af36a08e8ed961825a274ac444d": OCI runtime exec failed: exec failed: unable to start container process: exec: "": executable file not found in $PATH: unknown

Reproducible

  • Always
  • Sometimes
  • Non-Reproducible

Version/Tag number

Version 1.11

Environment setup

  • Running in self-hosted Linux (Debian) VirtualBox and installed MicroK8S
  • Which cloud provider? Which container orchestrator (including version)?
@g3rzi
Copy link
Contributor

g3rzi commented May 6, 2024

Thank you, we will check it.

@regevnoam1 regevnoam1 mentioned this issue May 29, 2024
Merged
@g3rzi
Copy link
Contributor

g3rzi commented Jul 15, 2024

We found the problem and fixed it. It will be updated in the next release.
For now, you can clone the current repository and build it.

@g3rzi g3rzi closed this as completed Jul 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Milestone
No milestone
Development

No branches or pull requests
2 participants
@g3rzi @frankvoelker