Summary
A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs.
This is achieved by exploiting the lack of validation for the REQUESTED_SERVER_NAME
field for access loggers.
PoC
In our default access log format, the primary arbitrary input fields are headers.
REQUESTED_SERVER_NAME
also can take arbitrary inputs and has no validation in Envoy at all (despite the RFC being pretty strict).
Further, this is externally exploitable as will be logged in majority of cases, even if RBAC denies.
An example exploit:
blue='\e[0;34m'
x=$(echo -e $blue)
client https://10.36.1.114/ --server-name "[foo.com](http://foo.com/)${x}this is blue
end<script>alert()</script>
[2022-01-05T17:14:26.823Z] fake log"
This has 3 in one:
- Inject ANSI escape characters. Here it makes
kubectl
logs return blue text; cursor movement is also possible. Above probably only works on zsh, but others support them as well with different syntax. Cursor movement allows deleting logs, masking an attack
- Inject HTML - I don't know of any log viewers that are subject to this, but its plausible.
- Inject new lines, which allows inject fake logs
Impact
Log injection to our system will cause multiple unexpected problems
Summary
A vulnerability has been identified in Envoy that allows malicious attackers to inject unexpected content into access logs.
This is achieved by exploiting the lack of validation for the
REQUESTED_SERVER_NAME
field for access loggers.PoC
In our default access log format, the primary arbitrary input fields are headers.
REQUESTED_SERVER_NAME
also can take arbitrary inputs and has no validation in Envoy at all (despite the RFC being pretty strict).Further, this is externally exploitable as will be logged in majority of cases, even if RBAC denies.
An example exploit:
This has 3 in one:
kubectl
logs return blue text; cursor movement is also possible. Above probably only works on zsh, but others support them as well with different syntax. Cursor movement allows deleting logs, masking an attackImpact
Log injection to our system will cause multiple unexpected problems