CVE-2019-1002101

MEDIUM

Kubernetes < 1.11.9 - Arbitrary File Write via kubectl cp Tar Extraction

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-1002101. PoCs published by brompwnie.

AI-analyzed exploit summary This repository contains functional exploit helper scripts for CVE-2019-1002101, a directory traversal vulnerability in Kubernetes kubectl cp. The scripts create a malicious tar file and replace system binaries to achieve remote code execution when a victim runs kubectl cp.

Description

The kubectl cp command allows copying files between containers and the user machine. To copy files from a container, Kubernetes creates a tar inside the container, copies it over the network, and kubectl unpacks it on the user’s machine. If the tar binary in the container is malicious, it could run any code and output unexpected, malicious results. An attacker could use this to write files to any path on the user’s machine when kubectl cp is called, limited only by the system permissions of the local user. The untar function can both create and follow symbolic links. The issue is resolved in kubectl v1.11.9, v1.12.7, v1.13.5, and v1.14.0.

Exploits (1)

nomisec WORKING POC 5 stars

by brompwnie · poc

https://github.com/brompwnie/CVE-2019-1002101-Helpers

View Code ZIP pw:eip

This repository contains functional exploit helper scripts for CVE-2019-1002101, a directory traversal vulnerability in Kubernetes kubectl cp. The scripts create a malicious tar file and replace system binaries to achieve remote code execution when a victim runs kubectl cp.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Kubernetes kubectl (versions before 1.11.9, 1.12.7, 1.13.5, 1.14.0)

Auth required

Prerequisites: Write access to /bin/tar on the target system · Victim must execute kubectl cp with a crafted tar file

MITRE ATT&CK