Kubernetes ephemeral container to extract secret cached by subprocess #1236
Comments
|
As agreed: we can start off with a gdb debugable process that generates a random secret and reads it upon next read, whcih you can capture with a debug container. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Context
What should the challenge scenario be like?
We're interfacing with a secrets mgmt system to keep our secret safe, but we don't want to make a network call every time we use the secret. We've built an abstraction to handle interfacing with the system, and for performance reasons, we're caching the secret in memory using a spawned subprocess (or in memory). Using an appropriate container with debugging tools (jmap?), we can extract the secret from the subprocess/the heap!
What should the participant learn from completing the challenge?
Being able to exec in prod can harm even relatively safe secrets. Also, be careful with debug modes 🤡
For what category would the challenge be? (e.g. Docker, K8s, binary)
K8s
Did you encounter this in real life? Could you tell us more about the scenario?
I had to attach a debug ephemeral container to a running one, which had multiple debugging tools installed.
If the challenge request is approved, would you be willing to submit a PR?
Yes
The text was updated successfully, but these errors were encountered: