Skip to content

Instantly share code, notes, and snippets.

@nrjpoddar

nrjpoddar/check.sh

Last active Feb 11, 2020
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Istio CVE-2020-8595
Raw
check.sh
#!/bin/bash
set -eEo pipefail
trap clean_up EXIT SIGINT
dockerID=""
tmpDir=""
clean_up() {
if [ "$dockerID" != "" ]; then
docker rm -f $dockerID
fi
if [ "$tmpDir" != "" ]; then
popd
rm -rf $tmpDir
fi
}
scriptName=$(basename $0)
if [ "$#" -lt 1 ]; then
cat <<EOF
Usage $scriptName <your-proxy-image-version>
$scriptName istio/proxyv2:1.4.3
EOF
exit 1
fi
proxyImage="$1"
tmpDir=$(mktemp -d "$PWD/cve-2020-8595.XXXXXX")
pushd $tmpDir
envoy_config=$(cat <<EOF
node:
id: test
metadata:
"istio.io/metadata": {
namespace: default,
labels: { app: productpage },
}
static_resources:
listeners:
- name: server
address:
socket_address:
address: 0.0.0.0
port_value: 8091
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: auto
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains:
- "*"
routes:
- match:
prefix: "/"
route:
cluster: backend
http_filters:
- name: envoy.filters.http.jwt_authn
typed_config:
"@type": type.googleapis.com/envoy.config.filter.http.jwt_authn.v2alpha.JwtAuthentication
providers:
origins-0:
issuer: testing@secure.istio.io
forward: true
payload_in_metadata: testing@secure.istio.io
local_jwks:
inline_string: '{ "keys":[ {"e":"AQAB","kid":"DHFbpoIUqrY8t2zpA2qXfCmr5VO5ZEr4RzHU_-envvQ","kty":"RSA","n":"xAE7eB6qugXyCAG3yhh7pkDkT65pHymX-P7KfIupjf59vsdo91bSP9C8H07pSAGQO1MV_xFj9VswgsCg4R6otmg5PV2He95lZdHtOcU5DXIg_pbhLdKXbi66GlVeK6ABZOUW3WYtnNHD-91gVuoeJT_DwtGGcp4ignkgXfkiEm4sw-4sfb4qdt5oLbyVpmW6x9cfa7vs2WTfURiCrBoUqgBo_-4WTiULmmHSGZHOjzwa8WtrtOQGsAFjIbno85jp6MnGGGZPYZbDAa_b3y5u-YpW7ypZrvD8BgtKVjgtQgZhLAGezMt0ua3DRrWnKqTZ0BJ_EyxOGuHJrLsn00fnMQ"}]}'
rules:
- match:
prefix: "/"
requires:
allow_missing_or_failed: {}
- name: istio_authn
typed_config:
"@type": type.googleapis.com/istio.envoy.config.filter.http.authn.v2alpha1.FilterConfig
policy:
origins:
- jwt:
issuer: testing@secure.istio.io
jwks_uri: https://raw.githubusercontent.com/istio/istio/release-1.4/security/tools/jwt/samples/jwks.json
trigger_rules:
- included_paths:
- exact: "/productpage"
principal_binding: USE_ORIGIN
jwt_output_payload_locations:
testing@secure.istio.io: istio-sec-5406b7840708063f65cbdf52153ca364a476d68b
- name: envoy.router
config: {}
access_log:
- name: envoy.file_access_log
config:
path: "/dev/stdout"
format: "server %RESPONSE_CODE% downstream:%DYNAMIC_METADATA(envoy.wasm.metadata_exchange.downstream:labels)% upstream:%DYNAMIC_METADATA(envoy.wasm.metadata_exchange.upstream:labels)%\n"
- name: backend
address:
socket_address:
address: 127.0.0.1
port_value: 8099
filter_chains:
- filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: auto
route_config:
name: local_route
virtual_hosts:
- name: local_service
domains:
- "*"
routes:
- match:
prefix: "/"
direct_response:
status: 200
body:
inline_string: "sample backend body\n"
http_filters:
- name: envoy.router
config: {}
clusters:
- name: backend
connect_timeout: 0.25s
type: static
lb_policy: round_robin
hosts:
- socket_address:
address: 127.0.0.1
port_value: 8099
http2_protocol_options: {}
admin:
access_log_path: "/dev/null"
address:
socket_address:
address: 0.0.0.0
port_value: 15000
EOF)
echo -e "$envoy_config" > envoy.yaml
dockerID=$(docker run -p 8091:8091 -d --rm -v `pwd`:`pwd` -w `pwd` --entrypoint "envoy" $proxyImage -c ./envoy.yaml)
echo "Sleeping for 5 seconds so the docker container is up and running"
sleep 5
RED='\033[0;31m'
GREEN='\033[0;32m'
ORANGE='\033[0;33m'
NC='\033[0m'
VULN="CVE-2020-8595"
curl -v localhost:8091/productpage? 2>&1 | grep "^..HTTP" |
(
while read OUTPUT
do
case $OUTPUT in
*200*)echo -e "[${VULN}] ${RED}Vulnerable${NC}"
;;
*401*)echo -e "[${VULN}] ${GREEN}Fix applied${NC}"
;;
*)echo -e "[${VULN}] ${RED}Can't verify${NC}"
;;
esac
done
)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment