Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: cdk-team/CDK
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.0.4
Choose a base ref
...
head repository: cdk-team/CDK
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref

Commits on Oct 6, 2021

  1. Merge pull request #29 from cdk-team/dependabot/go_modules/github.com…

    …/containerd/containerd-1.4.11
    neargle committed Oct 6, 2021
    Copy the full SHA
    40c5131 View commit details
  2. Copy the full SHA
    c1d4aff View commit details

Commits on Oct 18, 2021

  1. Copy the full SHA
    8a8f753 View commit details

Commits on Nov 1, 2021

  1. Bump github.com/tidwall/gjson from 1.6.7 to 1.9.3

    Bumps [github.com/tidwall/gjson](https://github.com/tidwall/gjson) from 1.6.7 to 1.9.3.
    - [Release notes](https://github.com/tidwall/gjson/releases)
    - [Commits](tidwall/gjson@v1.6.7...v1.9.3)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/tidwall/gjson
      dependency-type: direct:production
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    dependabot[bot] authored Nov 1, 2021
    Copy the full SHA
    533e439 View commit details
  2. Copy the full SHA
    4a92459 View commit details
  3. Copy the full SHA
    5e9752f View commit details
  4. Merge pull request #30 from cdk-team/dependabot/go_modules/github.com…

    …/tidwall/gjson-1.9.3
    
    Bump github.com/tidwall/gjson from 1.6.7 to 1.9.3
    neargle authored Nov 1, 2021
    Copy the full SHA
    4d54661 View commit details
  5. Copy the full SHA
    a75c1d5 View commit details
  6. Copy the full SHA
    f96cd30 View commit details

Commits on Nov 21, 2021

  1. Bump github.com/containerd/containerd from 1.4.11 to 1.4.12

    Bumps [github.com/containerd/containerd](https://github.com/containerd/containerd) from 1.4.11 to 1.4.12.
    - [Release notes](https://github.com/containerd/containerd/releases)
    - [Changelog](https://github.com/containerd/containerd/blob/main/RELEASES.md)
    - [Commits](containerd/containerd@v1.4.11...v1.4.12)
    
    ---
    updated-dependencies:
    - dependency-name: github.com/containerd/containerd
      dependency-type: direct:production
    ...
    
    Signed-off-by: dependabot[bot] <support@github.com>
    dependabot[bot] authored Nov 21, 2021
    Copy the full SHA
    2c5d184 View commit details

Commits on Nov 22, 2021

  1. Merge pull request #31 for security issue (to containerd v1.4.12)

    Bump github.com/containerd/containerd from 1.4.11 to 1.4.12
    neargle authored Nov 22, 2021
    Copy the full SHA
    0156d55 View commit details

Commits on Jan 28, 2022

  1. feat(caps): find out add caps

    neargle committed Jan 28, 2022
    Copy the full SHA
    3a5a713 View commit details
  2. chore: support for cdk eval

    neargle committed Jan 28, 2022
    Copy the full SHA
    25b66b1 View commit details

Commits on Feb 27, 2022

  1. Copy the full SHA
    b22f683 View commit details

Commits on Mar 6, 2022

  1. Copy the full SHA
    98ec2d1 View commit details
  2. Copy the full SHA
    dbd9257 View commit details

Commits on Mar 7, 2022

  1. optimize(util/common.go): Quicker Random String Generator

    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    kmahyyg committed Mar 7, 2022
    Copy the full SHA
    ef056df View commit details
  2. optimize(exp/mount-cgroup): update build constraint, cgroup is linux …

    …only
    
    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    kmahyyg committed Mar 7, 2022
    Copy the full SHA
    ecfadba View commit details
  3. fix(exp/mount-cgroup): fix #35 in shell-style in a simple way

    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    kmahyyg committed Mar 7, 2022
    Copy the full SHA
    60b44e5 View commit details

Commits on Mar 9, 2022

  1. fix(util/cgroup.go): typo: marjor -> major

    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    kmahyyg committed Mar 9, 2022
    Copy the full SHA
    4c640ae View commit details
  2. feat(util/cgroup.go): add superBlockOptions when parsing /proc/self/m…

    …ountinfo
    
    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    kmahyyg committed Mar 9, 2022
    Copy the full SHA
    043d6b6 View commit details
  3. feat(exp/mount_cgroup.go): completely fix #35 in golang-style

    This implemented mount-cgroup exploit totally in Golang.
    
    Detailed information:
    - Change whole "create-mount-write" process using Golang native Unix API.
    - To avoid conflict, increase length of random string from 3 to 4.
    Tasks sub-cgroup are also in the same kind of random name.
    - Read mounted filesystem information from /proc/self/mountinfo, instead of /etc/mtab .
    - Due to the limitation of exec.Command, output redirect is implemented in another way: manually get pid and write to cgroups.proc
    
    Further enhancement:
    - To read the container filesystem path on the host, implement to read `superBlockOptions` of MountInfo.
    - To implement CVE-2022-0492 in this PR further, I modified EscapeCgroup function, so that it can be re-used for other subsystems.
    
    Chores:
    - `go mod tidy`
    
    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    kmahyyg committed Mar 9, 2022
    Copy the full SHA
    1b94046 View commit details
  4. Copy the full SHA
    96d2984 View commit details
  5. refactor(exp): Merge pull request #40 from kmahyyg/main

    [PR40] Implement mount-cgroup exploit in Golang style.
    
    Detailed information:
    
    * Change whole "create-mount-write" process using Golang native Unix API.
    * To avoid conflict, increase length of random string from 3 to 4.
    * Tasks sub-cgroup are also in the same kind of random name.
    * Read mounted filesystem information from /proc/self/mountinfo, instead of /etc/mtab .
    * Due to the limitation of exec.Command, output redirect is implemented in another way: manually get pid and write to cgroups.procs
    neargle authored Mar 9, 2022
    Copy the full SHA
    05c907b View commit details

Commits on Mar 10, 2022

  1. feat(exploit/abuse-unpriv-userns): exploit of CVE-2022-0492 (#41)

    * feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0942
    
    co-operate with PR #40.
    
    Signed-off-by: kmahyyg <16604643+kmahyyg@users.noreply.github.com>
    Reviewer: neargle
    kmahyyg authored Mar 10, 2022
    Copy the full SHA
    19d8c3e View commit details
  2. 1
    Copy the full SHA
    19fdff2 View commit details
  3. Copy the full SHA
    9e47892 View commit details
  4. Copy the full SHA
    7a004b6 View commit details

Commits on Mar 12, 2022

  1. Copy the full SHA
    7cf4bfd View commit details
  2. Copy the full SHA
    6722038 View commit details

Commits on Mar 16, 2022

  1. Copy the full SHA
    6cab6db View commit details

Commits on Mar 20, 2022

  1. Copy the full SHA
    5c611b4 View commit details
  2. Copy the full SHA
    2b1b8c1 View commit details

Commits on Mar 26, 2022

  1. Copy the full SHA
    f7f5e37 View commit details
  2. Copy the full SHA
    dd5456d View commit details

Commits on Apr 26, 2022

  1. Copy the full SHA
    3c6b0c1 View commit details

Commits on May 4, 2022

  1. perf(log): colorful usage

    neargle committed May 4, 2022
    Copy the full SHA
    ad8ce9d View commit details
  2. Copy the full SHA
    9118872 View commit details

Commits on May 25, 2022

  1. Copy the full SHA
    2474a08 View commit details
  2. fix(opt): docopt parse error

    neargle committed May 25, 2022
    Copy the full SHA
    032d08c View commit details
  3. Copy the full SHA
    e7d820c View commit details
  4. Merge pull request #48 from wywwzjj/main

    add DNS-Based Service Discovery
    neargle authored May 25, 2022
    Copy the full SHA
    f8d186d View commit details

Commits on May 30, 2022

  1. Copy the full SHA
    46918aa View commit details
  2. Copy the full SHA
    52bab3e View commit details

Commits on Jun 10, 2022

  1. Copy the full SHA
    fd1190e View commit details
  2. Copy the full SHA
    71d0646 View commit details
  3. Merge pull request #50 from cdk-team/fix-shadow-apiserver-49

    Fix #49 (shadow-apiserver): Flag --insecure-port has been deprecated
    neargle authored Jun 10, 2022
    Copy the full SHA
    b71d8d6 View commit details

Commits on Jun 23, 2022

  1. Copy the full SHA
    3d87478 View commit details
  2. feat(etcd) #52: get K8s service account token in ETCD

    * add etcd get k8s token
    
    * etcd 代码补充
    
    * something fix, not support etcd v2
    
    * Remove unnecessary code
    404tk authored Jun 23, 2022
    Copy the full SHA
    4eaa69e View commit details

Commits on Jun 24, 2022

  1. Merge pull request #53 from cdk-team/probe-get-ending

    perf(probe): output ending message
    neargle authored Jun 24, 2022
    Copy the full SHA
    7fed802 View commit details
Showing with 7,831 additions and 1,013 deletions.
  1. +46 −25 .github/workflows/build_and_release.yml
  2. +25 −0 .github/workflows/check.yaml
  3. +5 −0 .gitignore
  4. +201 −339 LICENSE
  5. +70 −35 README.md
  6. +19 −2 cmd/cdk/cdk.go
  7. +17 −0 conf/build_conf.go
  8. +29 −0 conf/evaluate_conf.go
  9. +17 −0 conf/exploit_conf.go
  10. +2,678 −0 conf/linux_kernel_exploit.go
  11. +17 −0 conf/message.go
  12. +17 −0 conf/scanner_conf.go
  13. +9 −12 go.mod
  14. +36 −56 go.sum
  15. +53 −17 pkg/cli/banner.go
  16. +44 −47 pkg/cli/parse.go
  17. +122 −0 pkg/cli/parse_test.go
  18. +17 −0 pkg/errors/errors.go
  19. +35 −0 pkg/evaluate/available_linux_capabilities.go
  20. +17 −0 pkg/evaluate/available_linux_commands.go
  21. +39 −10 pkg/evaluate/cgroups.go
  22. +44 −47 pkg/evaluate/check_mount_escape.go
  23. +17 −0 pkg/evaluate/cloud_metadata_api.go
  24. +72 −0 pkg/evaluate/evaluate.go
  25. +39 −0 pkg/evaluate/evaluate_test.go
  26. +17 −0 pkg/evaluate/k8s_anonymous_login.go
  27. +17 −0 pkg/evaluate/k8s_service_account.go
  28. +56 −0 pkg/evaluate/kernel.go
  29. +16 −0 pkg/evaluate/network_namespace.go
  30. +22 −0 pkg/evaluate/security_info.go
  31. +17 −0 pkg/evaluate/sensitive_env.go
  32. +17 −0 pkg/evaluate/sensitive_local_file_path.go
  33. +17 −0 pkg/evaluate/sensitive_service.go
  34. +40 −0 pkg/evaluate/service_discorvery_dns.go
  35. +17 −0 pkg/evaluate/sysctl_vars.go
  36. +56 −2 pkg/evaluate/system_info.go
  37. +9 −0 pkg/exploit/base/base.go
  38. +0 −18 pkg/exploit/check_ptrace_test.go
  39. +187 −0 pkg/exploit/credential_access/etcd_get_k8s_token.go
  40. +26 −5 pkg/exploit/{ → credential_access}/file_scan.go
  41. +19 −2 pkg/exploit/{ → credential_access}/file_scan_test.go
  42. +22 −2 pkg/exploit/{ → credential_access}/image_registry_brute.go
  43. +31 −0 pkg/exploit/credential_access/image_registry_brute_test.go
  44. +26 −5 pkg/exploit/{ → credential_access}/k8s_configmap_dump.go
  45. +26 −5 pkg/exploit/{ → credential_access}/k8s_secret_dump.go
  46. +22 −2 pkg/exploit/{ → discovery}/istio_check.go
  47. +21 −3 pkg/exploit/{ → discovery}/k8s_cluster_info.go
  48. +22 −3 pkg/exploit/{ → discovery}/k8s_psp_dump.go
  49. +52 −0 pkg/exploit/discovery/service_probe.go
  50. +198 −0 pkg/exploit/escaping/abuse_unpriv_userns.go
  51. +24 −4 pkg/exploit/{ → escaping}/cap_dac_read_search.go
  52. +19 −1 pkg/exploit/{ → escaping}/cap_dac_read_search_test.go
  53. +25 −5 pkg/exploit/{ → escaping}/check_ptrace.go
  54. +35 −0 pkg/exploit/escaping/check_ptrace_test.go
  55. +38 −15 pkg/exploit/{ → escaping}/containerd_shim_pwn.go
  56. +26 −5 pkg/exploit/{ → escaping}/docker_api_pwn.go
  57. +33 −8 pkg/exploit/{ → escaping}/docker_runc.go
  58. +26 −6 pkg/exploit/{ → escaping}/docker_sock_check.go
  59. +28 −8 pkg/exploit/{ → escaping}/docker_sock_pwn.go
  60. +135 −0 pkg/exploit/escaping/k8s_kubelet_var_log_escape.go
  61. +210 −0 pkg/exploit/escaping/lxcfs_rw_cgroup.go
  62. +36 −5 pkg/exploit/{lxcfs_rw.go → escaping/lxcfs_rw_mknod.go}
  63. +228 −0 pkg/exploit/escaping/mount_cgroup.go
  64. +26 −6 pkg/exploit/{ → escaping}/mount_device.go
  65. +47 −18 pkg/exploit/{ → escaping}/mount_procfs.go
  66. +25 −5 pkg/exploit/{ → escaping}/rewrite_cgroup_devices.go
  67. +30 −0 pkg/exploit/exp_init.go
  68. +17 −0 pkg/exploit/exploit_test.go
  69. +31 −0 pkg/exploit/hwexp/411.yaml
  70. +55 −0 pkg/exploit/hwexp/utils.go
  71. +0 −14 pkg/exploit/image_registry_brute_test.go
  72. +0 −113 pkg/exploit/mount_cgroup.go
  73. +22 −2 pkg/exploit/{ → persistence}/deploy_webshell.go
  74. +22 −2 pkg/exploit/{ → persistence}/k8s_backdoor_daemonset.go
  75. +26 −7 pkg/exploit/{ → persistence}/k8s_clusterip_mitm.go
  76. +25 −4 pkg/exploit/{ → persistence}/k8s_cronjob.go
  77. +86 −34 pkg/exploit/{ → persistence}/k8s_shadow_apiserver.go
  78. +25 −4 pkg/exploit/{ → privilege_escalation}/k8s_get_sa_token.go
  79. +203 −0 pkg/exploit/remote_control/kubelet_exec.go
  80. +25 −4 pkg/exploit/{ → remote_control}/reverse_shell.go
  81. +0 −31 pkg/exploit/service_probe.go
  82. +31 −8 pkg/exploit/test_poc.go
  83. +43 −2 pkg/plugin/interface.go
  84. +30 −8 pkg/task/auto_escape.go
  85. +17 −0 pkg/task/fix_build_null.go
  86. +17 −0 pkg/tool/dockerd_api/dockerd_api.go
  87. +126 −0 pkg/tool/etcdctl/common.go
  88. +64 −0 pkg/tool/etcdctl/ectl.go
  89. 0 pkg/tool/kubectl/assets/.gitkeep
  90. 0 pkg/tool/kubectl/assets/kubectl-amd64
  91. +67 −18 pkg/tool/kubectl/common.go
  92. +17 −0 pkg/tool/kubectl/kcurl.go
  93. +52 −0 pkg/tool/kubectl/kubectl_bin.go
  94. +17 −0 pkg/tool/netcat/netcat.go
  95. +17 −0 pkg/tool/netcat/thin_code.go
  96. +40 −0 pkg/tool/netstat/netstat.go
  97. +18 −0 pkg/tool/network/network.go
  98. +17 −0 pkg/tool/probe/common.go
  99. +17 −0 pkg/tool/probe/common_test.go
  100. +42 −15 pkg/tool/probe/net.go
  101. +17 −0 pkg/tool/probe/thin_code.go
  102. +17 −0 pkg/tool/ps/ps.go
  103. +17 −0 pkg/tool/vi/thin_code.go
  104. +17 −0 pkg/tool/vi/ven.go
  105. +34 −0 pkg/util/capability/capability_define.go
  106. +17 −0 pkg/util/capability/capability_test.go
  107. +167 −15 pkg/util/cgroup.go
  108. +122 −0 pkg/util/colorful.go
  109. +55 −5 pkg/util/common.go
  110. +19 −1 pkg/util/file_io.go
  111. +17 −0 pkg/util/file_io_test.go
  112. +17 −0 pkg/util/http_request.go
  113. +31 −0 pkg/util/k8s.go
  114. +48 −0 pkg/util/kubectl.go
  115. +77 −0 pkg/util/kubelet.go
  116. +209 −0 pkg/util/kubelet_api.go
  117. +46 −0 pkg/util/namespace.go
  118. +60 −0 pkg/util/output.go
  119. +18 −0 pkg/util/version.go
  120. +1 −1 test/k8s_exploit_util/default_to_admin.yaml
  121. +2 −2 test/k8s_exploit_util/shadow-apiserver.yaml
  122. +14 −0 test/scripts/runtest_in_dev.sh
  123. +11 −0 thanks.md
71 changes: 46 additions & 25 deletions .github/workflows/build_and_release.yml
Original file line number Diff line number Diff line change
@@ -1,8 +1,9 @@
name: CDK CI

on:
workflow_dispatch:
release:
types: [created]
types: [released, prereleased]

jobs:

@@ -13,15 +14,15 @@ jobs:
steps:
- uses: actions/setup-go@v2
with:
go-version: 1.15
go-version: 1.22.2
- uses: actions/setup-node@v1
with:
node-version: 10.x
- uses: actions/checkout@v2
with:
fetch-depth: 0

- uses: actions/download-artifact@v2
- uses: actions/download-artifact@v4
- name: Upload Release and Renew Changelog
env:
UPLOAD_URL: ${{ github.event.release.upload_url }}
@@ -30,39 +31,59 @@ jobs:
RELEASE_URL: ${{ github.event.release.url }}

run: |
set -euo pipefail
set -x
go get github.com/mitchellh/gox
sudo apt-get install -y upx
sudo apt-get update
sudo apt-get install -y upx file curl
export CGO_ENABLED=0
gox -parallel 5 -osarch="darwin/amd64 linux/386 linux/amd64 linux/arm linux/arm64" -ldflags="-s -w " -output="bin/{{.Dir}}_{{.OS}}_{{.Arch}}" ./cmd/cdk/
gox -parallel 5 -osarch="linux/386 linux/amd64 linux/arm64" -ldflags="-s -w " -tags="thin" -output="bin/{{.Dir}}_{{.OS}}_{{.Arch}}_thin" ./cmd/cdk/
export GIT_COMMIT=$(git rev-list -1 HEAD)
export ldflags="-s -w -extldflags \"-static\" -X github.com/cdk-team/CDK/pkg/cli.GitCommit=$GIT_COMMIT"
# cdk_linux_386 cdk_linux_amd64 cdk_linux_arm cdk_linux_arm64
cp bin/cdk_linux_amd64 bin/cdk_linux_amd64_upx
upx bin/cdk_linux_amd64_upx
mkdir -p bin
cp bin/cdk_linux_386 bin/cdk_linux_386_upx
upx bin/cdk_linux_386_upx
echo "Building standard versions..."
GOOS=darwin GOARCH=amd64 go build -ldflags="$ldflags" -o bin/cdk_darwin_amd64 ./cmd/cdk/ || echo "Darwin build failed"
GOOS=linux GOARCH=386 go build -ldflags="$ldflags" -o bin/cdk_linux_386 ./cmd/cdk/
GOOS=linux GOARCH=amd64 go build -ldflags="$ldflags" -o bin/cdk_linux_amd64 ./cmd/cdk/
GOOS=linux GOARCH=arm go build -ldflags="$ldflags" -o bin/cdk_linux_arm ./cmd/cdk/
GOOS=linux GOARCH=arm64 go build -ldflags="$ldflags" -o bin/cdk_linux_arm64 ./cmd/cdk/
cp bin/cdk_linux_amd64_thin bin/cdk_linux_amd64_thin_upx
upx bin/cdk_linux_amd64_thin_upx
echo "Building thin versions..."
GOOS=linux GOARCH=386 go build -ldflags="$ldflags" -tags="thin" -o bin/cdk_linux_386_thin ./cmd/cdk/
GOOS=linux GOARCH=amd64 go build -ldflags="$ldflags" -tags="thin" -o bin/cdk_linux_amd64_thin ./cmd/cdk/
GOOS=linux GOARCH=arm64 go build -ldflags="$ldflags" -tags="thin" -o bin/cdk_linux_arm64_thin ./cmd/cdk/
cp bin/cdk_linux_386_thin bin/cdk_linux_386_thin_upx
upx bin/cdk_linux_386_thin_upx
echo "Creating UPX compressed versions..."
for file in bin/cdk_linux_{386,amd64}{,_thin}; do
if [ -f "$file" ]; then
cp "$file" "${file}_upx"
upx "${file}_upx" || echo "UPX compression failed for ${file}"
fi
done
UPLOAD_URL=$(echo -n $UPLOAD_URL | sed s/\{.*//g)
for FILE in bin/*
do
echo "Uploading ${FILE}";
curl \
-H "${API_HEADER}" \
-H "${AUTH_HEADER}" \
-H "Content-Type: $(file -b --mime-type ${FILE})" \
--data-binary "@${FILE}" \
"${UPLOAD_URL}?name=$(basename ${FILE})";
echo "Uploading files..."
for FILE in bin/*; do
if [ -f "$FILE" ]; then
echo "Uploading ${FILE}"
MIME_TYPE=$(file -b --mime-type "${FILE}")
RESPONSE=$(curl -w "%{http_code}" \
-H "${API_HEADER}" \
-H "${AUTH_HEADER}" \
-H "Content-Type: ${MIME_TYPE}" \
--data-binary "@${FILE}" \
"${UPLOAD_URL}?name=$(basename ${FILE})" \
-o /dev/null)
if [ "$RESPONSE" -ne 201 ]; then
echo "Error uploading ${FILE}, status code: ${RESPONSE}"
fi
fi
done
bash ".github/workflows/changelog.sh"
25 changes: 25 additions & 0 deletions .github/workflows/check.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
name: Go Check
on: [push, pull_request]
jobs:
buildable:
name: Buildable and Runable
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@master
- name: build
uses: actions/setup-go@v2
with:
go-version: '1.17'
- run: |
export CGO_ENABLED=0
GOOS=darwin GOARCH=amd64 go build -ldflags="-s -w " ./cmd/cdk/cdk.go
GOOS=linux GOARCH=386 go build -ldflags="-s -w " ./cmd/cdk/cdk.go
GOOS=linux GOARCH=arm go build -ldflags="-s -w " ./cmd/cdk/cdk.go
GOOS=linux GOARCH=arm64 go build -ldflags="-s -w " ./cmd/cdk/cdk.go
GOOS=linux GOARCH=amd64 go build -ldflags="-s -w " ./cmd/cdk/cdk.go
# test main function with Evaluate, Exploit and Tool
go test -v -timeout 30s -run ^TestParseCDKMain$ pkg/cli/*.go
5 changes: 5 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
@@ -31,3 +31,8 @@ cmd/cdk/cdk

.vscode/
.chglog/
__debug_bin

/pkg/tool/kubectl/assets/

/cdk
Loading