Merge branch 'master' into change_links_to_avd

.github/workflows/lint.yml

@@ -1,12 +0,0 @@
-name: Lint
-
-on: [push, pull_request]
-
-jobs:
-  build:
-    runs-on: ubuntu-20.04
-
-    steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-python@v2
-      - uses: pre-commit/action@v2.0.0

.github/workflows/test.yml

@@ -1,54 +0,0 @@
-name: Test
-
-on: [push, pull_request]
-
-env:
-  FORCE_COLOR: 1
-
-jobs:
-  build:
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        python-version: ["3.6", "3.7", "3.8", "3.9"]
-        os: [ubuntu-20.04, ubuntu-18.04, ubuntu-16.04]
-
-    steps:
-      - uses: actions/checkout@v2
-
-      - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v2
-        with:
-          python-version: ${{ matrix.python-version }}
-
-      - name: Get pip cache dir
-        id: pip-cache
-        run: |
-          echo "::set-output name=dir::$(pip cache dir)"
-
-      - name: Cache
-        uses: actions/cache@v2
-        with:
-          path: ${{ steps.pip-cache.outputs.dir }}
-          key:
-            ${{ matrix.os }}-${{ matrix.python-version }}-${{ hashFiles('requirements-dev.txt') }}
-          restore-keys: |
-            ${{ matrix.os }}-${{ matrix.python-version }}-
-
-      - name: Install dependencies
-        run: |
-          python -m pip install -U pip
-          python -m pip install -U wheel
-          python -m pip install -r requirements.txt
-          python -m pip install -r requirements-dev.txt
-
-      - name: Test
-        shell: bash
-        run: |
-          make test
-
-      - name: Upload coverage
-        uses: codecov/codecov-action@v1
-        with:
-          name: ${{ matrix.os }} Python ${{ matrix.python-version }}

docs/_kb/KHV052.md

@@ -1,23 +0,0 @@
----
-vid: KHV052
-title: Exposed Pods
-categories: [Information Disclosure]
----
-
-# {{ page.vid }} - {{ page.title }}
-
-## Issue description
-
-An attacker could view sensitive information about pods that are bound to a Node using the exposed /pods endpoint
-This can be done either by accessing the readonly port (default 10255), or from the secure kubelet port (10250)
-
-## Remediation
-
-Ensure kubelet is protected using `--anonymous-auth=false` kubelet flag. Allow only legitimate users using `--client-ca-file` or `--authentication-token-webhook` kubelet flags. This is usually done by the installer or cloud provider.
-
-Disable the readonly port by using `--read-only-port=0` kubelet flag.
-
-## References
-
-- [Kubelet configuration](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/)
-- [Kubelet authentication/authorization](https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-authentication-authorization/)

kube_hunter/modules/discovery/hosts.py

@@ -5,7 +5,8 @@ import requests
 
 from enum import Enum
 from netaddr import IPNetwork, IPAddress, AddrFormatError
-from netifaces import AF_INET, ifaddresses, interfaces, gateways
+from netifaces import AF_INET, ifaddresses, interfaces
+from scapy.all import ICMP, IP, Ether, srp1
 
 from kube_hunter.conf import get_config
 from kube_hunter.core.events import handler
@@ -108,7 +109,7 @@ class FromPodHostDiscovery(Discovery):
             if self.is_azure_pod():
                 subnets, cloud = self.azure_metadata_discovery()
             else:
-                subnets = self.gateway_discovery()
+                subnets = self.traceroute_discovery()
 
             should_scan_apiserver = False
             if self.event.kubeservicehost:
@@ -140,9 +141,14 @@ class FromPodHostDiscovery(Discovery):
             return False
 
     # for pod scanning
-    def gateway_discovery(self):
-        """ Retrieving default gateway of pod, which is usually also a contact point with the host """
-        return [[gateways()["default"][AF_INET][0], "24"]]
+    def traceroute_discovery(self):
+        config = get_config()
+        node_internal_ip = srp1(
+            Ether() / IP(dst="1.1.1.1", ttl=1) / ICMP(),
+            verbose=0,
+            timeout=config.network_timeout,
+        )[IP].src
+        return [[node_internal_ip, "24"]]
 
     # querying azure's interface metadata api | works only from a pod
     def azure_metadata_discovery(self):

kube_hunter/modules/hunting/apiserver.py

@@ -56,19 +56,16 @@ class ServerApiHTTPAccess(Vulnerability, Event):
 
 
 class ApiInfoDisclosure(Vulnerability, Event):
-    """Information Disclosure depending upon RBAC permissions and Kube-Cluster Setup"""
-
     def __init__(self, evidence, using_token, name):
-        category = InformationDisclosure
         if using_token:
-            name += " using default service account token"
+            name += " using service account token"
         else:
             name += " as anonymous user"
         Vulnerability.__init__(
             self,
             KubernetesCluster,
             name=name,
-            category=category,
+            category=InformationDisclosure,
             vid="KHV007",
         )
         self.evidence = evidence

kube_hunter/modules/hunting/certificates.py

@@ -8,13 +8,11 @@ from kube_hunter.core.events import handler
 from kube_hunter.core.events.types import Vulnerability, Event, Service
 
 logger = logging.getLogger(__name__)
-email_pattern = re.compile(rb"([a-zA-Z0-9_.+-]+@[a-zA-Z0-9-]+\.[a-zA-Z0-9-.]+)")
+email_pattern = re.compile(rb"([a-z0-9]+@[a-z0-9]+\.[a-z0-9]+)")
 
 
 class CertificateEmail(Vulnerability, Event):
-    """The Kubernetes API Server advertises a public certificate for TLS.
-    This certificate includes an email address, that may provide additional information for an attacker on your
-    organization, or be abused for further email based attacks."""
+    """Certificate includes an email address"""
 
     def __init__(self, email):
         Vulnerability.__init__(

kube_hunter/modules/hunting/kubelet.py

@@ -35,7 +35,10 @@ class ExposedPodsHandler(Vulnerability, Event):
 
     def __init__(self, pods):
         Vulnerability.__init__(
-            self, component=Kubelet, name="Exposed Pods", category=InformationDisclosure, vid="KHV052"
+            self,
+            component=Kubelet,
+            name="Exposed Pods",
+            category=InformationDisclosure,
         )
         self.pods = pods
         self.evidence = f"count: {len(self.pods)}"
@@ -344,23 +347,27 @@ class SecureKubeletPortHunter(Hunter):
 
         # need further investigation on websockets protocol for further implementation
         def test_port_forward(self):
-            pass
+            config = get_config()
+            headers = {
+                "Upgrade": "websocket",
+                "Connection": "Upgrade",
+                "Sec-Websocket-Key": "s",
+                "Sec-Websocket-Version": "13",
+                "Sec-Websocket-Protocol": "SPDY",
+            }
+            pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
+                pod_namespace=self.pod["namespace"],
+                pod_id=self.pod["name"],
+                port=80,
+            )
+            self.session.get(
+                pf_url,
+                headers=headers,
+                verify=False,
+                stream=True,
+                timeout=config.network_timeout,
+            ).status_code == 200
             # TODO: what to return?
-            # Example starting code:
-            #
-            # config = get_config()
-            # headers = {
-            #     "Upgrade": "websocket",
-            #     "Connection": "Upgrade",
-            #     "Sec-Websocket-Key": "s",
-            #     "Sec-Websocket-Version": "13",
-            #     "Sec-Websocket-Protocol": "SPDY",
-            # }
-            # pf_url = self.path + KubeletHandlers.PORTFORWARD.value.format(
-            #     pod_namespace=self.pod["namespace"],
-            #     pod_id=self.pod["name"],
-            #     port=80,
-            # )
 
         # executes one command and returns output
         def test_run_container(self):
@@ -371,9 +378,8 @@ class SecureKubeletPortHunter(Hunter):
                 container_name="test",
                 cmd="",
             )
-            # if we get this message, we know we passed Authentication and Authorization, and that the endpoint is enabled.
-            status_code = self.session.post(run_url, verify=False, timeout=config.network_timeout).status_code
-            return status_code == requests.codes.NOT_FOUND
+            # if we get a Method Not Allowed, we know we passed Authentication and Authorization.
+            return self.session.get(run_url, verify=False, timeout=config.network_timeout).status_code == 405
 
         # returns list of currently running pods
         def test_running_pods(self):
@@ -1133,16 +1139,11 @@ class ProveSystemLogs(ActiveHunter):
             f"{self.base_url}/" + KubeletHandlers.LOGS.value.format(path="audit/audit.log"),
             verify=False,
             timeout=config.network_timeout,
-        )
-
-        # TODO: add more methods for proving system logs
-        if audit_logs.status_code == requests.status_codes.codes.OK:
-            logger.debug(f"Audit log of host {self.event.host}: {audit_logs.text[:10]}")
-            # iterating over proctitles and converting them into readable strings
-            proctitles = []
-            for proctitle in re.findall(r"proctitle=(\w+)", audit_logs.text):
-                proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
-            self.event.proctitles = proctitles
-            self.event.evidence = f"audit log: {proctitles}"
-        else:
-            self.event.evidence = "Could not parse system logs"
+        ).text
+        logger.debug(f"Audit log of host {self.event.host}: {audit_logs[:10]}")
+        # iterating over proctitles and converting them into readable strings
+        proctitles = []
+        for proctitle in re.findall(r"proctitle=(\w+)", audit_logs):
+            proctitles.append(bytes.fromhex(proctitle).decode("utf-8").replace("\x00", " "))
+        self.event.proctitles = proctitles
+        self.event.evidence = f"audit log: {proctitles}"