Exploiting SSRF in Kubernetes
While testing an API that was exposed to the Internet, I found an unauthorised SSRF vulnerability that allowed me to trick the server into performing any GET request using http or https protocol.
I had access to the response (i.e.: this wasn't a blind SSRF), full control of the URI, but, as expected, could not control the request headers. Also, there was no rate limit.
While writing my report I explained how this vulnerability could be abused to bypass security controls, enumerate internal hosts and services, and even perform DoS attacks on third parties or internal services.
However, I wanted to go one step further.
I knew the containerised application ran on a GKE cluster, so I wanted to see how much of the internal k8s configuration I could exfiltrate.
After coming across this post I found that the Kubelet API allows you to retrieve information about each pod running on the host by calling the following endpoint:
http://<host_ip>:10255/podsAs described in the documentation:
The information is very detailed and includes the metadata, labels, annotations, owner references (for example the DaemonSet that owns the pod), volumes, containers, and status.
The response was a gold mine.
Note that I was also able to trigger unauthorised requests that relate to metrics, but the results were not as relevant:
http://<host_ip>:10255/metrics
http://<host_ip>:10255/metrics/cadvisor
http://<host_ip>:10255/metrics/probesLet me know if you come across other ways to exploit this vulnerability ;)