Nginx ngx_http_close_connection function integer overflow - can anyone confirm this?

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- From Bugtraq:

http://www.securityfocus.com/archive/1/526439/30/0/threaded

Website: http://safe3.com.cn

I. BACKGROUND
- ---------------------

Nginx is an HTTP and reverse proxy server, as well as a mail proxy
server, written by Igor Sysoev. For a long time, it has been running
on many heavily loaded Russian sites including Yandex, Mail.Ru,
VKontakte, and Rambler. According to Netcraft nginx served or proxied
12.96% busiest sites in April 2013. Here are some of the success
stories: Netflix, Wordpress.com, FastMail.FM.

II. DESCRIPTION
- ---------------------

Qihoo 360 Web Security Research Team discovered a critical
vulnerability in nginx.

The vulnerability is caused by a int overflow error within the Nginx
ngx_http_close_connection function when r->count is less then 0 or
more then 255, which could be exploited
by remote attackers to compromise a vulnerable system via malicious
http requests.

III. AFFECTED PRODUCTS
- ---------------------------

Nginx all latest version

IV. Exploits/PoCs
- ---------------------------------------

In-depth technical analysis of the vulnerability and a fully
functional remote code execution exploit are available through the
safe3q (at) gmail (dot) com [email concealed]
In src\http\ngx_http_request_body.c ngx_http_discard_request_body
function,we can make r->count++.

V. VUPEN Threat Protection Program
- -----------------------------------

VI. SOLUTION
- ----------------

Validate the r->count input.

VII. CREDIT
- --------------

This vulnerability was discovered by Safe3 of Qihoo 360.

VIII. ABOUT Qihoo 360
- ---------------------------

Qihoo 360 is the leading provider of defensive and offensive web cloud
security of China.

IX. REFERENCES
- ----------------------
http://nginx.org/en/

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRehJQAAoJEBYNRVNeJnmTC8oP/1ueYNmvM+qx+60uYkB3+zzc
zlV3w7ejZ09rXtV3Tl4x/znxSSai82E08I32Xgpx30E2fYpVjNhj9prJwWU8pZtp
+pIGos9ZdEulmexn9A1snFgzjbF1foECpBPuSu8b1VZE7WjEBS3E0LWQg/UwC4cp
AkvG8MGBJclg0HD+GzJVG9vVpOLeyDUyaqWV+6+nBNneqUo5dZRaLDm3iPEt2pDX
9wLMA0Ov0xKnhpzzcoca91IkES05p179feqoBH1CrF9sTCM0grj85JVyd3oyFFUB
Espl6+OR2Tci1ckay5B0u00oRuYmaIOKCp4Njt0jBe0Kr8dFyTnCRZKTFQvumuTs
GykmOesRxlTP6KEAypBxigVPuvp0rnnGKr3OJUnrCcGy4aGmRSICs8dYZ1+vsfWW
aVze6ccjCOe0n6VUIlELNfOw2vn4A/P5BxkZUqxfkmb+8uorkK2ewwlwpWhdEPss
OOyS7YDVmY0Z8/cdcEFzSB7pRY0SBYV7dDA22Vrl6RANAiDN83ZHY0p5hB00iqOt
AtxHmPCHc9zzyWiyQdaRUcB6Z7AKdsWPxO9dbVaaA6dmB78ujd5+7hOLN0IWwAFs
sZf6qMhNUUgAiAoqtEoO90bftbvFHshAvVf5yVC8JLoi8VWRiSHfli82TlwEjoFD
O5Mk8mGHU5janXRMOfVi
=I7C/
-----END PGP SIGNATURE-----