search

DataDog / stratus-red-team

:cloud: :zap: Granular, Actionable Adversary Emulation for the Cloud
https://stratus-red-team.cloud
Apache License 2.0
1.67k stars 200 forks source link

k8s.persistence.create-token on GKE/EKS: misleading success message #163

Open raesene opened 1 year ago

raesene commented 1 year ago

What is not working? The k8s.persistence.create-token attack will work on GKE and EKS but although it requests a token with a one year lifespan those providers are silently limiting the token to 48 and 24 hours respectively.

As an example after running the attack on a GKE 1.22 cluster, the following issued and expiry times are present on the token returned

  "exp": 1660757418,
  "iat": 1660584618,

which is a 48 hour expiry. Probably the best way to fix this is to decode the token returned and confirm that the token duration requested matched the issued token.

What OS are you using? Mac OS X

What is your Stratus Red Team version? 2.3.0

christophetd commented 1 year ago

Thanks for reporting! Is this really a problem, though? If I were an attacker, I'd likely go with a high timeout. If the returned token has a lower expiration, well I'll deal with it.

With that in mind, don't you think the current behavior represents what an attacker would do?

raesene commented 1 year ago

So I think the problem I was thinking of is that, at the moment we output Successfully created a long-lived token valid for 1 year: after the run, even if the token generated is only valid for 48 hours.

We could just change the message to "successfully created a token" which would cover that case ok :)

christophetd commented 3 months ago

Alternatively we could look at the validity of the returned token and print this