Exploiting SSRF in Kubernetes

Exploiting SSRF in Kubernetes

While testing an API that was exposed to the Internet, I found an unauthorised SSRF vulnerability that allowed me to trick the server into performing any GET request using http or https protocol.

I had access to the response (i.e.: this wasn't a blind SSRF), full control of the URI, but, as expected, could not control the request headers. Also, there was no rate limit.

While writing my report I explained how this vulnerability could be abused to bypass security controls, enumerate internal hosts and services, and even perform DoS attacks on third parties or internal services.

However, I wanted to go one step further.

I knew the containerised application ran on a GKE cluster, so I wanted to see how much of the internal k8s configuration I could exfiltrate.

After coming across this post I found that the Kubelet API allows you to retrieve information about each pod running on the host by calling the following endpoint:

http://<host_ip>:10255/pods

As described in the documentation:

The information is very detailed and includes the metadata, labels, annotations, owner references (for example the DaemonSet that owns the pod), volumes, containers, and status.

The response was a gold mine.

Note that I was also able to trigger unauthorised requests that relate to metrics, but the results were not as relevant:

http://<host_ip>:10255/metrics
http://<host_ip>:10255/metrics/cadvisor
http://<host_ip>:10255/metrics/probes

Let me know if you come across other ways to exploit this vulnerability ;)