CDK Versions Save

💣 Awesome CVE-2022-0492 Exploit!

Release Date: 2022-03-10

:scroll: Changelog

:bomb: Exploits

• Chore(exp & release): build mount cgroup only in linux
• Fix(exp): unprivileged_userns_clone sysctl file do not exist in CentOS
• Feat(exploit/abuse-unpriv-userns): exploit of CVE-2022-0492 (#41)
• Feat(exp/mount_cgroup.go): completely fix #35 in golang-style
• Fix #38 (exp): shim-pwn protobuf panic after run exploit

:mag: About Evaluate

• Feat(caps): find out add caps

:sparkles: Others

• Chore(cli): add version info & commit id for debug

:key: Hash Table

SHA256	EXECTUE FILE
b5fb2c18b9720d0bfc5f0d25a9922b6f0b88230e1005664885391ef140d7d489	cdk_darwin_amd64
371226668baa95b330676a6268145ad25bfc28f59710f35fc1888aa6b70a74a4	cdk_linux_386
0bb79f2fe4c5f6d451822a26cff27b172270bce29d7430e01bebe904cde0c215	cdk_linux_386_thin
fa7433173643095d5266fd465f88de45d6d157d72dc5915ab1334c03af63b4ba	cdk_linux_386_thin_upx
0976936c3c02be348ea926ce86c7204c7e9e59a092477e924c1a1d5bd97cfced	cdk_linux_386_upx
eae7c7548d28517d099afef1bc7664f098bfa3c533ee5a0cf763ab28480ebeeb	cdk_linux_amd64
ebab27736848eb90409384d231b939702ce97482cc231aba7d0acf58e02db438	cdk_linux_amd64_thin
72f7e33c5313aa5ab15b99778b1f3c4d50d4710b171a635994d0d01e47e8173b	cdk_linux_amd64_thin_upx
d697ea397da7603417baaf232512864bd8ecedde47dd199c2d32f653619f0f3b	cdk_linux_amd64_upx
cdf9041ba0603c7d7452a2866eee0eaa115ad5d8488d92c1c388c36d321301b1	cdk_linux_arm
4f52fb4cf7dd744b01695e5356442182bc9fdb635da8f766537c12e0d83ad18f	cdk_linux_arm64
68080b2cbfd4488f96e0c315ea7e8bf6204de010a05eeb2da621f78caa7254b9	cdk_linux_arm64_thin

PR

• Implement mount-cgroup in Golang style by kmahyyg in https://github.com/cdk-team/CDK/pull/40
• feat(exploit/abuse_unpriv_userns.go): exploit of CVE-2022-0492 by kmahyyg in https://github.com/cdk-team/CDK/pull/41

New Contributors

• @kmahyyg made their first contribution in https://github.com/cdk-team/CDK/pull/40

💒 Happy wedding to my friend CDKKWANG, let's release a new version of CDK. 🌸 And fix some bugs by the way. Click to view more changelogs.

Release Date: 2022-03-06

:scroll: Changelog

:bomb: Exploits

• Fix #38 (exp): shim-pwn protobuf panic after run exploit

:mag: About Evaluate

• Feat(caps): find out add caps

:sparkles: Others

• Chore(cli): add version info & commit id for debug
• Fix #38 (exp): shim-pwn protobuf panic after run exploit
• Fix #37 (eva): add eva args to docopt
• Chore: support for cdk eval
• Feat(caps): find out add caps
• Bump github.com/containerd/containerd from 1.4.11 to 1.4.12
• Fix action: cedrickring/golang-action is archived, offical actions/setup-go action instead
• Fix action: apply in all push and pull request
• Bump github.com/tidwall/gjson from 1.6.7 to 1.9.3
• Add event: https://community.cncf.io/events/details/cncf-kcd-china-presents-kubernetes-community-days-china/
• Github action: git build test after a new pull request and push

:key: Hash Table

SHA256	EXECTUE FILE
0e17084a14b6af8e50ae4917261546121279fd94299bea1f5fcaa77f18a0feaf	cdk_darwin_amd64
91cd0a590f86cbda8e33e5a4d90303f270ed6d17b8b36e50030f5a68beb7a704	cdk_linux_386
31b9c5ce299981849c4ec0f90e6dac5a7b894c654eab1c3db4099744a5594e80	cdk_linux_386_thin
e30443b3f19aafa06b3edb124228f6ac35aa51737c3eb78fa007ffdce9d75bc5	cdk_linux_386_thin_upx
aedb680859401bdea82e17109b9d6bb7ec6cfc26bf20687c14eea15c616efb52	cdk_linux_386_upx
c68ea57d7555c49ef4c5ea05363fe0ced7978e751331ea949005d70fff000a00	cdk_linux_amd64
330253612d4c4a3791acfd82257d5a4c1e68ec989e0647abfa4baa560cf0a046	cdk_linux_amd64_thin
a37e4ee0bb7651669d595d3bb44edd135f9d696648f36fb9e35af1e84ee6b795	cdk_linux_amd64_thin_upx
356bdd6cb7c92146fcee5812aba9eb101ff713ff67768bafd59b6f33a5d61eae	cdk_linux_amd64_upx
1b2c21dd0c747782c5b23b0ca390a23a17cb3fe437021c5f44e5d77d6b71f656	cdk_linux_arm
2518c6ab5e78e0f644a5c406d84778eb45991564ba136c266d9696fc6996e8ef	cdk_linux_arm64
a3995533605772461060559d6afae9de2726e86ef45a53bb924792fbe9baa325	cdk_linux_arm64_thin

Release Date: 2021-10-02

:scroll: Changelog

:bomb: Exploits

• Fix DeployBackdoorDaemonset return true when error.
• Fix build tag mistake in CapDacReadSearch Exploit
• Better cap_dac_read_search exploit
• Fix: http authorization token have blank string in prefix or subfix
• Add force-fuzz option for k8s-psp-dump exploit
• Add filter string for lxcfs-rw exploit

:mag: About Evaluate

• Fix DeployBackdoorDaemonset return true when error.

:toolbox: Tools

• Fix DeployBackdoorDaemonset return true when error.
• Fix: http authorization token have blank string in prefix or subfix

:sparkles: Others

• Fix typo: KCON 2021 Arsenal
• Add kcon2021 and whc2021
• Format "run --list" output.
• Add StringContains function
• Add filter string for lxcfs-rw exploit
• Bump github.com/containerd/containerd from 1.4.3 to 1.4.8

:key: Hash Table

SHA256	EXECTUE FILE
1acd7ea1364e9c78d271cc8341ae804e8a6e143d4c31103d6dd5424dbc80498a	cdk_darwin_amd64
2dd16e2f18bd45ff80eb56a524d3af4e87f55054fdb3ada3d2a097824b6487ac	cdk_linux_386
c042f360a6deff1b41405dd0f5bee637fc8242d585c714410084ef068a90d9fc	cdk_linux_386_thin
ba69953f7e76cb9a1d4992fbb7db913284d265e7d32f6659dd3527874a473404	cdk_linux_386_thin_upx
35a4bba030e749de8667b0284982bd8d187a5ed9e1ced0b3c2e67136aa839cc7	cdk_linux_386_upx
07d53bb25aaa1b6ed1de40f0b8999be20a399172e49876cac3600503793df581	cdk_linux_amd64
9b1bcec7eb978a3412a5ec172181074837f08f4f9c256e8d9f6a8d7d2ce34d74	cdk_linux_amd64_thin
9e8a97e342f21509bdba9c4abfdefafe5b3a4fc60c046415ad397eca356e5d04	cdk_linux_amd64_thin_upx
fde15f9ac15ce720fff310f70bf5d36843516dbda4d98c9bfbcdec6ce44f28e8	cdk_linux_amd64_upx
a41c1b9b2b36e65dc1d8f57a08165289f44ed287893c18146fa32953bc2949fe	cdk_linux_arm
1d533c26001b29f11e09de0c350cab64faef97ea49a41f579d01b9ae74d2a0e9	cdk_linux_arm64
21582bab4103dda43821915b76e96870431e1f2f59bc0135ba4700008abdaa32	cdk_linux_arm64_thin

Release Date: 2021-07-08

:scroll: Changelog

:bomb: Exploits

• Add exploit: to container image registry, brute force the accounts and passwords cracking

:sparkles: Others

• Add document for brute force the accounts and passwords cracking
• Add meta-data api url of ucloud PR #24
• Auto changelog: move changelog generate code to bash script

:key: Hash Table

SHA256	EXECTUE FILE
313d2e2dad28703bf74b58c71131036e978667067d0cf77217435f10ff50a7df	cdk_darwin_amd64
51093bb7f3a947ed390aa2a560dbe91621379ef2125582249a5769aa5a58b379	cdk_linux_386
f889cf4f3cf56e385114be1e91477a51f5022cafb7bcd5cfc8eb20704e82e9e0	cdk_linux_386_thin
e01fee07234e35d11957d7ff65a5e2e7e0bac4a4ff061fd5b5d90a42701c1c49	cdk_linux_386_thin_upx
bf07c8fc6c899e793274614b8a98565fbedba9516c437c7594fec9fa15dd4d41	cdk_linux_386_upx
d2053465e2b96e8fb144090dd3cb1b7d02c1364f0d66eae234995c89c2f57c64	cdk_linux_amd64
bd3e5f1a848ec10158f529073a346f56c08a18c1e4cbfa1a85714037fe1561fe	cdk_linux_amd64_thin
4f188f89c92bb150c8b0b623d2041373b946a8920e97e464964ed79def029605	cdk_linux_amd64_thin_upx
e443f79a4b00598ac5a5adc8826b605db24b6345ae1fb4180aa4f173152fffc0	cdk_linux_amd64_upx
d57859e45a603966302841da3a61fa3e604a2ddd7be8bb2f1feb9bde74464061	cdk_linux_arm
635640f232a519c71fbdd148bfef9ef8f9c61909106f2d458273fa07830b21ea	cdk_linux_arm64
d650309e0c7cefdb0fd5c2f29e30282d0d2f1be44fc389158c5d011a987245b4	cdk_linux_arm64_thin

Release Date: 2021-06-17

:scroll: Changelog

:bomb: Exploits

• Add CAP_DAC_READ_SEARCH exploit
• Fix error when target mountpoint is not a directory
• Add SYS_ADMIN check and format capability output
• Fix: truncation or EOF when reading target file
• Various supplements to cap-dac-read-search

:mag: About Evaluate

• More infomations about available linux capabilities
• Add SYS_ADMIN check and format capability output
• Add check for CAP_SYS_MODULE and CAP_DAC_READ_SEARCH

:sparkles: Others

• Add meta-data api url of ucloud PR #24 from Alex-null/main
• Auto changelog: move changelog generate code to bash script
• Bash variables uppercase and add other changelogs
• Changelog generation by automatic in github action
• Add meta-data api url of Amazon Web Services Cloud
• More infomations about available linux capabilities
• Add check for CAP_SYS_MODULE and CAP_DAC_READ_SEARCH
• Add check for OpenStack metadata
• Add CAP_DAC_READ_SEARCH exploit
• Update release note format

:key: Hash Table

SHA256	EXECTUE FILE
c6986103a201b81ebf196dd945c4bf5b1992b4fd8db03479d7be2595a5c467fc	cdk_darwin_amd64
05776513007563031e633e1e5820914bfdcac5df19fe7fc93be680df32f75362	cdk_linux_386
0c9a9c3ce08d379b81646f92d8cb90fbd3fb384e497a4388f4bc33f1c4c41a44	cdk_linux_386_thin
080b84e655682e3b4cd130b009a6c838a4c96ea147796cf216ffe3ebbaa256b1	cdk_linux_386_thin_upx
f4e3039aaa1670e865d77746b6facb72dd3f72d8b240a972a6d48611b0ff4219	cdk_linux_386_upx
f4f23d5b522d8f58e46963452ce15087bcff3955bbea95306e24433dfeacbd3a	cdk_linux_amd64
6112fed1a30fcd45861afdbd13a6888f5cbeb6c3711d8262d6248eb4941aa2da	cdk_linux_amd64_thin
d0a793ba054cb2ce81173cdfed434c511aec8c631a3597d9581c191bc1525c2e	cdk_linux_amd64_thin_upx
bbae26473d5ca41404788c5b58ab495e9b7fdd988986657be0e0505400047207	cdk_linux_amd64_upx
11ae0608b6218b088dc3880ab366c93247bc33665a8a7f14b9da4d450e449dfe	cdk_linux_arm
3e1e22f3efa5aa2e7da26e2e6e82468e20de8d593b748f2521cfaf78d9043a2a	cdk_linux_arm64
a89e428291b7d4d870e2f24564c86bdaed721131926eeae10602c5b86295466c	cdk_linux_arm64_thin

Fixes

• fit exploit k8s-backdoor-daemonset for k8s- for k8s version >1.8. #13 @greenhandatsjtu
• fit exploit k8s-shadow-apiserver for Tencent Cloud TKE cluster.

---

sha256	exectue file
eca140e2de5725eeaa29ab48f86e1745ef0232aaafd04298eccb742e1241171b	cdk_darwin_amd64
8956389a7a50dcf4b7ab221c1b91172e7f7fb298dbf43a8251abfb76334e7a4e	cdk_linux_386
67e7e9e8a9ae97ff4a2f1878746be4c10af64f43867d2e9ead31470145c689b8	cdk_linux_386_thin
72ce22f23461dffa813c1a36c37ae081664ee255cbaf0e4b87d5108ab3101df2	cdk_linux_386_thin_upx
6efb691f0411b0e57b39c9efae1a55033cb8d5de3911d1ed120bf8787f395f1f	cdk_linux_386_upx
7fe4d08596fc13f16ed9bc29345a09a153e7e006bad88289836092bfc0e1ff1d	cdk_linux_amd64
db32aad6f38b4b0b38b65ba962eb9c256640324f01cef1d9e9eda4a32106a8a5	cdk_linux_amd64_thin
0674724cfc3997eacbac08e11b5b416a818b1dab5c6be50861babdbf84c376ad	cdk_linux_amd64_thin_upx
2bb27f59beed6f28e048b581de811a1443aa880dc8172f3156146c4cf782b68b	cdk_linux_amd64_upx
d049e53c682c148dc71b1a794973ad8c782014f9f32836c72ad141d05d94f022	cdk_linux_arm
6bd11a9b68e81660518ccc9888cf6ea1f2d85c5bb33857f543298c2386e07bdf	cdk_linux_arm64
0f45809e1a640a7f54dd5211aff1b5239c310b0e81ddfb1244345ce6ec9d72e2	cdk_linux_arm64_thin

New features

• Make capabilities information readable.
• Update cgroup and hostname capabilities in the evaluate module.
• Update rewrite-cgroup-devices exploit to make it more stable.
• More ports for k8s service probe.
• Enable auto-pwn task.
• New exploit: k8s-get-sa-token
• New exploit: k8s-psp-dump
• Release the thin version, now CDK can be easily used to pwn serverless/function service.
• Use Github actions to compile and release.

---

Fixes

• HTTP header set twice in several exploits.
• Wrong parameter output in k8s-backdoor-daemonset exploit.

---

Release Date: 2021-04-11

sha256	exectue file
802cc16a8b00b49fbc1685cdfa652fabe7b53d5d0e1fe1a1da4ab0da59ec263f	cdk_darwin_amd64
b074de2206cbff42293870201e0faf2113986a64fba6cc4682e2a87f518ee7d4	cdk_linux_386
6e24ebb4b88122fe10261cb8cf32f92c812690c49aea29f2d708557ea5feb186	cdk_linux_386_thin
350189c879eb3d936a434927b1fa41d353d2ebdbc6589e9efa29ea5e05329fe5	cdk_linux_386_thin_upx
dbeab309b7ecd219233a56c43b0c95f88a39c7d1d524d5f71d319a5928a2b5ad	cdk_linux_386_upx
e4f24bd9724afff4200cf4c57eeb2ba37b9bf99b7add53ce1262e2e98c80a812	cdk_linux_amd64
0857d4485dee17166c1754eb699e8e8e720bff825717e5a23531cd4b8a3c30c1	cdk_linux_amd64_thin
752c9bc83cd57649bece5f5885d921fa0dfd8cb62df66b6db1df281e51cdb560	cdk_linux_amd64_thin_upx
28110f190791aa5b4ca3f0c36dfc39cda8716f165789599de34c8578a70357fd	cdk_linux_amd64_upx
cbfe1884821d8aa5cb10a0eec8719f8273b5a65f2ae826c7079006fff71f14e7	cdk_linux_arm
42e2d4b8d628e3df77baf23238076afb7003f1d31fb08032324f249d80df8302	cdk_linux_arm64
58ec2f3cc5cbbcf8add01a0f5f7c8331d830b7944a1031788a5afe4a70ec0a3d	cdk_linux_arm64_thin

• bugfix run: check-ptrace
• new exploit: docker-api-pwn to takeover host with port 2375 open.
• change exploit docker-sock-deploy to docker-sock-pwn, the new exploit will run commands directly without attaching to the backdoor container.

More Exploits Enabled:

1. Evaluate kube-proxy route localnet(CVE-2020-8558) vulnerability.
2. Exploit LXC container with lxcfs mounted into container with rw privilege.
3. Exploit privileged containers with CGroup device.allow overwrite.

Add multiple K8s exploits.