mirror of
https://github.com/DepthFirstDisclosures/Nginx-Rift.git
synced 2026-05-26 10:20:50 +00:00
80 lines
2.5 KiB
Markdown
80 lines
2.5 KiB
Markdown
# Kubernetes NGINX Rift Audit
|
|
|
|
Read-only Kubernetes scanner for NGINX Rift, CVE-2026-42945. It looks for NGINX
|
|
containers in running pods, reads their effective NGINX configuration, and
|
|
reports `rewrite` directives whose replacement contains a literal `?`.
|
|
|
|
The scanner uses Python standard library plus the local `kubectl` binary. It
|
|
does not create, update, or delete Kubernetes resources.
|
|
|
|
## Quick Start
|
|
|
|
Run against the current kubeconfig context:
|
|
|
|
```bash
|
|
curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
|
|
| python3 -
|
|
```
|
|
|
|
Run with an explicit kubeconfig:
|
|
|
|
```bash
|
|
curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
|
|
| python3 - --kubeconfig /path/to/kubeconfig
|
|
```
|
|
|
|
Run with an explicit context and JSON output:
|
|
|
|
```bash
|
|
curl -fsSL https://raw.githubusercontent.com/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
|
|
| python3 - --context my-context --json
|
|
```
|
|
|
|
## What It Checks
|
|
|
|
For each running container, the script tries to find `nginx` or `openresty`.
|
|
For containers with NGINX, it collects:
|
|
|
|
- `nginx -v` version output
|
|
- effective config via `nginx -T`
|
|
- live `/etc/nginx/nginx.conf` fallback for `ingress-nginx` controllers when `nginx -T` fails
|
|
|
|
It then parses `rewrite` directives and flags replacements containing a literal
|
|
`?`, for example:
|
|
|
|
```nginx
|
|
rewrite ^/api/(.*)$ /internal?migrated=true;
|
|
```
|
|
|
|
This is the key NGINX Rift configuration primitive described in the public PoC.
|
|
The script also reports affected NGINX Open Source versions, but version alone
|
|
does not prove exploitability; the dangerous rewrite pattern must be present in
|
|
the active configuration.
|
|
|
|
## Exit Codes
|
|
|
|
- `0`: no rewrite replacement containing literal `?` was found
|
|
- `1`: at least one potential NGINX Rift rewrite trigger was found
|
|
- `2`: scan failed or completed with partial errors
|
|
|
|
## Options
|
|
|
|
```text
|
|
--kubeconfig PATH kubeconfig path
|
|
--context NAME kubeconfig context
|
|
--namespace NAME scan one namespace instead of all namespaces
|
|
--timeout SECONDS per-kubectl-call timeout, default 20
|
|
--workers N parallel kubectl exec workers, default 8
|
|
--json emit JSON report
|
|
--verbose include per-container details
|
|
--no-ingress-conf disable /etc/nginx/nginx.conf fallback for ingress-nginx when nginx -T fails
|
|
```
|
|
|
|
## Required Permissions
|
|
|
|
The current Kubernetes identity needs permission to:
|
|
|
|
- list pods
|
|
- exec into pods
|
|
|
|
No write permissions are required.
|