Skip to content

Scan RCE not working as intended #40

New issue
New issue
Closed
Closed
Scan RCE not working as intended#40
Labels
kind/bug
@frankvoelker

Description

@frankvoelker
frankvoelker
opened on Apr 26, 2024

Summary

kubeletctl scan rce -s SERVER is not showing "+" on RCE column even though I can RCE

Steps to Reproduce

  1. Setup microk8s cluster for testing
  2. allow anonymous Kubelet API access
  3. try to access https://SERVER:10250/pods to check for pods-json
  4. if you are allowed to see pods-json try to scan kubeletctl scan rce -s SERVER
  5. also check if you can execute commands

Expected Results

if I am allowed to kubeletctl exec "ls /" -c CONTAINER -p POD -s SERVER I should see a + in the "scan RCE" list

Actual Results

I have only "-" signs on kubeletctl scan rce -s SERVER but I can execute code

┌───────────────────────────────────────────────────────────────────────────────────────────────────────┐
│                                    Node with pods vulnerable to RCE                                   │
├───┬───────────┬─────────────────────────────────────────┬─────────────┬─────────────────────────┬─────┤
│   │ NODE IP   │ PODS                                    │ NAMESPACE   │ CONTAINERS              │ RCE │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│   │           │                                         │             │                         │ RUN │
├───┼───────────┼─────────────────────────────────────────┼─────────────┼─────────────────────────┼─────┤
│ 1 │ 10.0.2.15 │ website-k8s-675dd9956d-qj58f            │ default     │ website-k8s             │ -   │
└───┴───────────┴─────────────────────────────────────────┴─────────────┴─────────────────────────┴─────┘

shows "-" on RCE column, but if I try to execute code I can do:

┌──(root@kali)-[/home/kali]
└─# kubeletctl exec "ls /" -p website-k8s-675dd9956d-qj58f -c website-k8s -s 10.0.2.15
bin   dev  home  lib64  mnt  proc  run   srv  tmp  var
boot  etc  lib   media  opt  root  sbin  sys  usr

I also saw in source code that there is POST request to check manually and this is my output:

                               
┌──(root@kali)-[/home/kali]
└─# curl -k -XPOST https://10.0.2.15:10250/run/default/website-k8s-675dd9956d-qj58f/website-k8s -d "cmd=ls /"
rpc error: code = Unknown desc = failed to exec in container: failed to start exec "2766ae987637b8f679d7f68cbe02868c5dad0af36a08e8ed961825a274ac444d": OCI runtime exec failed: exec failed: unable to start container process: exec: "": executable file not found in $PATH: unknown

Reproducible

  • Always
  • Sometimes
  • Non-Reproducible

Version/Tag number

Version 1.11

Environment setup

  • Running in self-hosted Linux (Debian) VirtualBox and installed MicroK8S
  • Which cloud provider? Which container orchestrator (including version)?

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions