milliways-infosec/Nginx-Rift
7
0
Fork 0
mirror of https://github.com/DepthFirstDisclosures/Nginx-Rift.git synced 2026-05-26 10:20:50 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Nginx-Rift/kube-audit/README.md
Alex MKX a7e9af4ebf add kubernetes nginx rift audit
2026-05-18 22:01:55 +03:00

2.5 KiB
Raw Blame History

Kubernetes NGINX Rift Audit

Read-only Kubernetes scanner for NGINX Rift, CVE-2026-42945. It looks for NGINX containers in running pods, reads their effective NGINX configuration, and reports rewrite directives whose replacement contains a literal ?.

The scanner uses Python standard library plus the local kubectl binary. It does not create, update, or delete Kubernetes resources.

Quick Start

Run against the current kubeconfig context:

curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
  | python3 -

Run with an explicit kubeconfig:

curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
  | python3 - --kubeconfig /path/to/kubeconfig

Run with an explicit context and JSON output:

curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
  | python3 - --context my-context --json

What It Checks

For each running container, the script tries to find nginx or openresty. For containers with NGINX, it collects:

  • nginx -v version output
  • effective config via nginx -T
  • live /etc/nginx/nginx.conf fallback for ingress-nginx controllers when nginx -T fails

It then parses rewrite directives and flags replacements containing a literal ?, for example:

rewrite ^/api/(.*)$ /internal?migrated=true;

This is the key NGINX Rift configuration primitive described in the public PoC. The script also reports affected NGINX Open Source versions, but version alone does not prove exploitability; the dangerous rewrite pattern must be present in the active configuration.

Exit Codes

  • 0: no rewrite replacement containing literal ? was found
  • 1: at least one potential NGINX Rift rewrite trigger was found
  • 2: scan failed or completed with partial errors

Options

--kubeconfig PATH       kubeconfig path
--context NAME          kubeconfig context
--namespace NAME        scan one namespace instead of all namespaces
--timeout SECONDS       per-kubectl-call timeout, default 20
--workers N             parallel kubectl exec workers, default 8
--json                  emit JSON report
--verbose               include per-container details
--no-ingress-conf       disable /etc/nginx/nginx.conf fallback for ingress-nginx when nginx -T fails

Required Permissions

The current Kubernetes identity needs permission to:

  • list pods
  • exec into pods

No write permissions are required.