Injection in path parameter of Ingress-nginx

The objective of an Ingress Controller is to act as a gatekeeper for all incoming traffic to a Kubernetes cluster. It is responsible for routing and managing traffic coming into the cluster from external sources, allowing for efficient and secure communication between the cluster and the outside world.

An attacker in a multi-tenant cluster with permission to create/modify ingresses can inject content into the connection-proxy-header annotation and read arbitrary files from the ingress controller (including the service account).

The path parameter allows users to specify which HTTP path of the given host should be redirected to the ingress's defined backend, as the path parameter is permissive, it is possible to inject arbitrary nginx directives when creating a new ingress.

As a few restrictions are in place due to one of the mitigations of CVE-2021-25748 in the corresponding inspector for ingresses, it is not possible to execute code trivially by using the by_lua functions, to circumvent this protection we can proceed using a two-stages exploit :

• We first create an ingress abusing the nginx directive client_body_in_file_only in order to upload the body of an HTTP POST request to the ingress's filesystem.
• We send an HTTP POST request to this ingress, with an nginx configuration using the set_by_lua_block directive