Share this page!

Emilien Socchi Profile picture
Twitter logo
Nov 1 6 tweets 4 min read
Mounting a #Kubernetes service account to a pod with permissions to deploy other pods implies that if your app has RCE, a threat actor will be able to infect other Services in the cluster (yes, even if you use strict PSPs) #KubernetesSecurity #k8s #aks #gke #eks
#DevSecOps
🧵 👇
Background:
▪︎ A Service in #k8s is an object that balances HTTP requests between pods belonging to that Service
▪︎ A Service identifies its pods through a set of labels (e.g. "fancy-app: prod", "db: users", etc)
▪︎ A pod with a label associated with a Service will become part of that Service automatically

Attack scenario:
1. A pod is mounting a service account with permissions to deploy other pods
2. A container in the pod is running a vulnerable app, providing RCE to an attacker
3. The attacker identifies an interesting Service in the cluster with label "backend: v1", which looks like some kind of REST API service
4. The attacker deploys a new pod with label "backend: v1"
5. The pod automatically becomes part of the "backend: v1" Service
6. Traffic to the "backend: v1" Service is now partly load-balanced to the attacker's pod
7. Plain-text credentials, tokens and cookies submitted to the Service can be now be stolen by the attacker when traffic is sent to their pod
#Kubernetes #BugBounty #Pentesting
Extra:
▪︎ For stealthier attacks, the attacker can even deploy a pod that simply logs the received traffic, and forwards it to one of the other pods in the Service to serve legitimate responses to the original user. Note that this is not always straightforward though

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Emilien Socchi

Emilien Socchi Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @emiliensocchi

Emilien Socchi Profile picture
Nov 2
How a simple web-app assessment lead to complete #AzureAd tenant takeover 🤯
🧵 👇
#Azure #AzureKubernetesService #aks #Kubernetes #KubernetesSecurity #k8s #bugbounty #bugbountytips #bugbountytip #DevSecOps
1. Poorly-designed file upload functionality lead to RCE
2. Turned out the app was running in a container managed by #AzureKubernetesService (#AKS)
3. #Container was mounting a service account with permissions to deploy #pods in the same namespace
4. I deployed a new pod with hostPath root volume. Deployment was not blocked by any security policy. #Pod got deployed
5. I exec-ed into the pod's #container and escaped it through its hostPath volume. #privesc to the #AKS node succeeded!
Read 7 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

Send Email!

Email the whole thread instead of just a link!

Separate emails with commas

:(