The attacker can achieve this by using the "kube-proxy" and "kube-scryer" pods. If an attacker is able to create a "kube-scryer" pod with a hostIPC and hostNetwork namespace, then the attacker will be able to have the hostIPC namespace be used to assign the pod an IP and the hostNetwork namespace be used to assign the pod a port. With this information, the attacker will now be able to control and access the pod over the network.
Pods that use hostIPC and hostNetwork can be exploited to run arbitrary code. An attacker must only be able to create one hostIPC and one hostNetwork pod to be exploited.
Another vulnerability was found in CRI-O where an attacker can create a malicious "cri-o-proxy" pod that has a hostNetwork and hostIPC namespace, and the sysctls of the hostNetwork namespace will be applied to the host if the attacker is able to create a "kube-scryer" pod with a hostIPC and hostNetwork namespace. This issue is only exploitable in CRI-O 1.18 or earlier, as CRI-O 1.19 and later have a fix for this issue.
In both of these vulnerabilities, the attacker must have access to the Kubernetes cluster and have root permissions on the cluster to be able to exploit them.
Infrastructure for Proof of Concept
If you are looking to perform these vulnerabilities, I would recommend that you setup an environment with Kubernetes running with the vulnerable versions of CRI-O. I will provide a how-to guide on how to configure this below.
First, we will need to get the necessary components for our proof of concept. All of the components needed for this demonstration are free and available on Google Cloud Platform:
Kubernetes (https://kubernetes.io/) - This is what we will use to run our application and the vulnerable version of CRI-O.
CRI-O (https://crio.readme.io/docs/) - This is what we will use to exploit the vulnerability when it occurs in a pod running in Kubernetes
GCP (Google Cloud Platform) (https://cloud.google.com/) - This is where we can get Google Compute Engine instances that have root access and where the vulnerable pods will be running on
What is Kubernetes?
Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications. It was originally developed by Google and currently managed by the Cloud Native Computing Foundation (CNCF).
The vulnerability found in CRI-O allows a user on the cluster to create a malicious pod that has a hostIPC and hostNetwork namespace, then the sysctls of the hostNetwork namespace will be applied to the host if a "kube-scryer" pod with a hostIPC and hostNetwork namespace is created. In this case, only CRI-O 1.18 or earlier is exploitable as CRI-O 1.19 and later have a fix for this issue. The issue found in Kubernetes allows an attacker to create pods which have an IP or port assigned to them over the network that they can control if they have access to the cluster.