Most active commenters
  • ajross(3)

←back to thread

Helm local code execution via a malicious chart

(github.com)
171 points irke882 | 11 comments | 09 Jul 25 05:49 UTC | HN request time: 0.204s | source | bottom
Show context
yelirekim ◴[09 Jul 25 07:03 UTC] No.44507070[source]
The original vulnerability description is not worded very well, here's my understanding of what's going on:

1. Attacker crafts a malicious Chart.yaml containing arbitrary code

2. Replaces Chart.lock with a symlink pointing to a sensitive file (like .bashrc or other startup scripts)

3. When you run helm dependency update, Helm processes the malicious Chart.yaml and writes the payload to whatever file the symlink targets

4. Code executes when the targeted file is next used (e.g., opening a new shell)

Why This Works: Helm follows the symlink during the dependency update process without validating the target, allowing arbitrary file writes outside the intended chart directory.

replies(3): >>44507344 #>>44507626 #>>44508238 #
1. heisenbit ◴[09 Jul 25 07:57 UTC] No.44507344[source]
Can anyone explain in what setup an attacker who can create a symlink where Chart.lock was could not directly write .bashrc or similar? Is this related to how Git handles symlinks?
replies(3): >>44507386 #>>44508788 #>>44508988 #
2. yelirekim ◴[09 Jul 25 08:04 UTC] No.44507386[source]
Helm is a program that allows users to creates packages which other users consume. Those packages contain files that are normally generated by Helm itself, but apparently if you alter your package definition by hand you can replace Chart.lock with a symlink.

As I'm typing this it's occurring to me that you probably shouldn't be able to do that. The fix they applied was to prevent the actual write from occurring when trying to write the lockfile and determining that the lockfile is a symlink. They could (should?) also validate that like, the package itself hasn't been screwed with in this manner.

3. mfer ◴[09 Jul 25 11:43 UTC] No.44508788[source]
This has nothing to do with Git. A symlink can be packaged up in a tarball and shipped from one system to another. An attacker would need to create a malicious Chart.yaml file and a Chart.lock file pointing to another file. Then ship those to a system where dependencies are then updated.

This doesn't affect things like installing or upgrading a chart. Dependencies aren't updated at that time.

replies(1): >>44510290 #
4. Tuna-Fish ◴[09 Jul 25 12:05 UTC] No.44508988[source]
A symlink is just a special file that contains a string of text, it's not tightly bound to the target like a hard link. You can write anything into that string of text, including, say, "~/.bashrc". Then you can ship that symlink onto another system, and it suddenly points to your .bashrc.

Git just moves symlinks across systems as is, so yes, you can use git to deploy the exploit.

replies(1): >>44510760 #
5. ajross ◴[09 Jul 25 14:12 UTC] No.44510290[source]
> A symlink can be packaged up in a tarball and shipped from one system to another.

True enough, but if you have a victim unpacking and building untrusted tarballs there's no security boundary being crossed, is there? You don't have to bother with this symlink nonsense, just update the install script to include your payload directly.

Honestly this vulnerability is dumb. I don't see any realistic scenario where it can be exploited by an unprivileged attacker.

replies(1): >>44511024 #
6. mdaniel ◴[09 Jul 25 14:54 UTC] No.44510760[source]
As pedantry, to the very best of my knowledge symlinks could not contain "~" and have it mean $HOME - that's a shell-ism (or os.path.expanduser equivalent in your library). I was suspecting the attack vector may have used "/home/runner" or "/home/ubuntu" as very common paths that could exist and be writable by the user
7. url00 ◴[09 Jul 25 15:13 UTC] No.44511024{3}[source]
When you do a helm pull and download a chart from a repo, I believe it's a tar-ball. So if you have a workflow where you install charts from the filesystem you could be impacted. I've done that in the past.
replies(1): >>44511145 #
8. ajross ◴[09 Jul 25 15:21 UTC] No.44511145{4}[source]
I can only repeat the assertion: if you have a victim pulling and installing untrusted tarballs, there is no security boundary being crossed.

It doesn't matter whether it's "from a repo". If you can't trust the repo it can feed you whatever it wants.

replies(1): >>44515870 #
9. deathanatos ◴[09 Jul 25 23:47 UTC] No.44515870{5}[source]
You're not installing the untrusted tarball; helm is merely supposed to be extracting it, and then rendering the templates contained within.

(Those templates, once rendered, might then refer to pods, etc. that might be put into a k8s cluster (or perhaps we merely render then YAML, and never `apply` it), and in that sense, one might imagine that that is an install, but that's not the security boundary being crossed here; this would presumably result in execution on the host running helm, which would definitely be surprising.)

replies(1): >>44516373 #
10. ajross ◴[10 Jul 25 01:33 UTC] No.44516373{6}[source]
You're quibbling over the meaning of "install" but apparently conceding the part about untrusted? OK, fair enough. I still argue that any process involving the extraction and (ahem) "rendering of contained templates" from untrusted sources is broken in ways a fix for this particular symlink issue isn't going to address.
replies(1): >>44525179 #
11. deathanatos ◴[10 Jul 25 20:26 UTC] No.44525179{7}[source]
Yes? I don't find that that odd.

Certainly, it would be better to trust the upstream completely, but let's not kid ourselves? See the entire current state of software supply chain in the industry.

But when I visit a website, I don't expect the website to LCE me. Why should turning a YAML adlib into YAML LCE me, regardless of the trust of the upstream. This is not a privilege I'm expecting to give the upstream ever, and this behavior is a clear security bug, to me…