Hello and welcome to the Thursday, December 11th,

2025 edition of the Sands and then at Storm Center's Stormcast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought you by the sands.edu master's degree program in

information security engineering. Well, in diaries today, we do have a detect that I associate

with a Kubernetes vulnerability that was patched last year, an OS command injection vulnerability.

This vulnerability was a fairly straightforward OS command injection in the node log query feature.

Wasn't widely exploited in part because at least at a time, this feature was still in beta and wasn't enabled by default.

Also, the user in order to attack this feature must have the privileges to actually query logs. Now, the way the export works was, you just sent essentially data to the logs endpoint,

and the pattern parameter was injectable.

Now, the OS command injection, there are a couple different ways how to often do that with

like backtakes or pipes or ampersand.

In this case, the attack worked by enclosing the operating system commands in parentheses,

leading with a dollar simple.

So that very common shell extrapolation that is often used for these types of attacks.

Well, today I was actually looking for some React exploits.

And while sort of going to my logs, I found this other request that, well,

reminded me a little bit of this particular Kubernetes vulnerability.

So I wonder if it's related.

However, in this case, the OS command injection is not a command line parameter.

Instead, it's part of the URL.

But it still uses that same dollar parentheses pattern.

...