Command injection (sometimes CMD injection) is an attack that involves executing arbitrary commands on some host OS. Typically, this happens because of insufficient user input validation.
The envoy proxy in Unguard has a /healthz?path=.. endpoint where the user-controlled path parameter
is passed to the curl CLI program, also allowing arbitrary command execution on the envoy-proxy.
For this exploit to work you need:
- unguard deployed and running
- (optional) unguard-exploit-toolkit set up
To exploit the command injection vulnerability in the envoy-proxy, you have to simply
call the /healthz endpoint with a query parameter that adds a second command to the curl call.
Without the CLI, you can simply craft your own payload. Make sure to URL-encode your payloads before sending them, for example:
$ echo http://unguard.kube/healthz?path=$(urlencode "example.com; uname -a > /tmp/info")
http://unguard.kube/healthz?path=example.com%3B%20uname%20-a%20%3E%20%2Ftmp%2FinfoIf you take a look at the envoy-proxy you will find the newly created /tmp/info file there.
From here, feel free to move laterally, e.g., for example:
- Try to modify the Envoy configuration in
/etc/envoy/unguardto re-route the entire webserver - Access other internal nodes from this pod onwards (no network policies will apply)
- Open a reverse shell back to your machine to extract data from this or other pods
Using the CLI, you can specify any command to be executed. There is no prior login necessary.
Just use ug-exploit cmd-inject-envoy "<your-command>" to execute arbitrary commands.
Writing current user into a file
$ ug-exploit cmd-inject-envoy "whoami > /tmp/pwned"