Share
## https://sploitus.com/exploit?id=B7AC5919-D76A-529B-8E1B-78178908C977
# NGINX Rift β€” CVE-2026-42945 Vulnerability Scanning and Verification Tool

NGINX Rift is an open-source scanning and verification tool targeting **CVE-2026-42945** (NGINX `ngx_http_rewrite_module` heap overflow vulnerability). It supports remote network fingerprint scanning and local deep configuration auditing, helping security teams quickly identify potential risks in NGINX environments.

## Vulnerability Overview

| Attribute | Details |
|-----------|----------|
| **CVE Number** | CVE-2026-42945 |
| **Vulnerability Type** | Heap Overflow |
| **Affected Component** | NGINX `ngx_http_rewrite_module` |
| **Affected Versions** | NGINX Open Source Edition 0.6.27 ~ 1.30.0 / NGINX Plus R32 ~ R36 |
| **Fixed Versions** | NGINX 1.30.1 (stable) / 1.31.0 (mainline) / NGINX Plus R32 P6+ |
| **Risk Level** | High β€” Can cause Denial-of-Service (DoS) and Remote Code Execution (RCE) |

**Trigger Conditions** (must all three conditions be met):

1. Presence of a `rewrite` directive in NGINX configuration.
2. Replacement of URLs that contain `?` (query string separator).
3. Use of unnamed capture groups (e.g., `$1`, `$2`) in URL replacements.

**Example of a vulnerable configuration:**

```nginx
rewrite ^/api/(.*)$ /internal?id=$1 last;
```

**Secure Configuration (using named capture groups):**

```nginx
rewrite ^/api/(?.*)$ /internal?id=$myid last;
```

## Features

- **Remote Scan Mode** β€” Identifies NGINX versions using HTTP response headers. Supports single and batch scans.
- **Local Verification Mode** β€” Three-step audit: binary version detection β†’ configuration file semantics analysis β†’ K8s Ingress resource probing.
- **OS Patch Retroversion Detection** β€” Works with `dpkg`/`rpm` package managers to check if the release has been patched via backports.
- **K8s Cloud-Native Support** β€” Automatically detects dangerous `rewrite-target` annotations in Kubernetes Ingress resources.
- **Zero-** β€” Implemented entirely with the Go standard library, compiled as a single file without third-party dependencies.
- **Cross-platform** β€” Supports Windows / Linux / macOS (amd64 + arm64).

## Installation

### Method 1: Download Precompiled Binary

Download the binary for your platform from the [Releases](../../releases) page.

### Method 2: Compile from Source Code

```bash
git clone https://github.com/nu0l/NGINX-Rift.git
cd NGINX-Rift

# Compile for a single platform
go build -o nginx_rift_scanner nginx_rift_scanner.go

# Cross-platform compilation
chmod +x build.sh &&./build.sh
```

## Usage

### View Help

```bash./nginx_rift_scanner -h
```

### Scan Mode β€” Remote Network Scan

```bash
# Scan a single target./nginx_rift_scanner scan -u http://example.com

# Batch scan (reads URL list from file)./nginx_rift_scanner scan -f url.txt
```

In `url.txt`, each line represents a URL, for example:

```
http://target1.com
https://target2.com
target3.com
```

### Verify Mode β€” Local Deep Audit

```bash
# Automatically find the default NGINX configuration path./nginx_rift_scanner verify

# Specify the configuration file path./nginx_rift_scanner verify -p /etc/nginx/nginx.conf
```

The Verify mode performs three-step audits:

1. **Binary Version Detection** β€” Runs `nginx -v` to get the version and checks OS package manager’s Backport patches.
2. **Configuration File Analysis** β€” Recursively parses NGINX configurations (including `include` directives), identifying dangerous rewrite rules.
3. **K8s Ingress Detection** β€” If `kubectl` is detected, automatically scans all Ingress resources in the cluster.

## Fix Suggestions

| Priority | Solution | Description |
|--------|----------|----------|
| P0 | Upgrade NGINX | Upgrade to 1.30.1+ / 1.31.0+ / NGINX Plus R32 P6+ |
| P0 | Update OS Package Manager | `apt-get upgrade nginx` or `yum update nginx` |
| P1 | Urgent Configuration Mitigation | Change `$1` in rewrite rules to a named capture group `$name`, without requiring downtime. |
| P2 | K8s Ingress Fixing | Upgrade the Ingress Controller and modify `rewrite-target` annotations. |
| P3 | Advanced Defense | Configure `server_tokens off;` to hide version fingerprints. |

## Project Structure

```
NGINX-Rift/
β”œβ”€β”€ nginx_rift_scanner.go # Main program source code
β”œβ”€β”€ build.sh # Cross-platform compilation script
β”œβ”€β”€ go.mod # Go module definition
└── README.md
```

## Technical Implementation

- Uses the Go standard library `net/http` to send HTTP requests and parse `Server` response headers.
- Matches and extracts version numbers for Open Source Edition (`nginx/X.Y.Z`) and Commercial Edition (`NGINX Plus RXX`).
- Recursively parses NGINX configuration files, tracks `include` directives, and uses a `visited` map to prevent circular references.
- Dynamically retrieves K8s Ingress configurations using `kubectl get ingress --all-namespaces -o yaml`.
- Checks OS-level Backports by calling `dpkg-query`/`rpm --changelog`.
- Compiles statically (`CGO_ENABLED=0`) to generate a standalone binary without C dependencies.

## License

MIT License

## Acknowledgments

Contributed by the security community.