cve-2018-1002105
cve-2018-1002105 copied to clipboard
PoC cannot handle api-server on self-signed https
When running the docker image, I get a panic from the go code related to the fact that the certificate was signed by an unknown authority. The code then stops and does not test further for the exploit.
[rubin@KURO ~]$ docker run -it --rm -v $HOME/.kube/config:/kubeconfig: quay.io/gravitational/cve-2018-1002105:latest
Unable to find image 'quay.io/gravitational/cve-2018-1002105:latest' locally
latest: Pulling from gravitational/cve-2018-1002105
5940862bcfcd: Pull complete
a496d03c4a24: Pull complete
5d5e0ccd5d0c: Pull complete
ba24b170ddf1: Pull complete
d97f46b6966a: Pull complete
Digest: sha256:e35349412f12635bfc1f13326b82c1dba82e176d71c9e0e9d27d947f73126ff8
Status: Downloaded newer image for quay.io/gravitational/cve-2018-1002105:latest
Attempting to locate and load kubeconfig file
Please Note:
This test currently relies on the behaviour of apiserver/kubelet to check for the issue.
If you're connecting through a layer-7 load balancer, you may receive false positives in the test
Loading: /kubeconfig
Testing for unauthenticated access...
> API allows unauthenticated access
Testing for privilege escalation...
panic: Get https://openshift-console.example.com:443/api/v1/namespaces: x509: certificate signed by unknown authority
goroutine 1 [running]:
main.findPod(0xc0001aa900, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/go/src/github.com/gravitational/cve-2018-1002105/main.go:196 +0x318
main.testEscalate(0xc000119180, 0x0, 0x0)
/go/src/github.com/gravitational/cve-2018-1002105/main.go:109 +0xb8
main.main()
/go/src/github.com/gravitational/cve-2018-1002105/main.go:67 +0x304
[rubin@KURO ~]$
[rubin@KURO ~]$ curl docker run -it --rm -v $HOME/.kube/config:/kubeconfig: quay.io/gravitational/cve-2018-1002105:latest
Based on the info you have provided, I'm not sure I understand what the issue would be. This particular failure, is largely within the client-go code, which loads the kubeconfig, and tries to iterate the namespaces.
The only possibility comes to mind, is that if the kubeconfig references a cert file for the CA instead of embedding it directly into the kubeconfig file, that file location may also need to be volume mounted to the docker container.
@rubin55 , you need to add following in .kube/config
- cluster: insecure-skip-tls-verify: true to get ride of the self signed error
We're winding down the Gravity project, and with it, this repo.